Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.0.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Replacing the Fortinet_Wifi certificate

    Replacing the Fortinet_Wifi certificate

    Note

    These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

    On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

    config system global
    set wifi-ca-certificate "Fortinet_Wifi_CA"
    set wifi-certificate "Fortinet_Wifi"
end

    WiFi administrators must consider the following factors:

    • The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
    • The Fortinet_Wifi certificate has an expire date. When it is expiring, it must be renewed or replaced with a new certificate.
    To replace the Fortinet_Wifi certificate:
    1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file:

      Purchase a publicly signed certificate from a commercial certificate service provider, or generate a self-signed certificate.

    2. Import the new certificate files into FortiOS:
      1. On the FortiGate, go to System > Certificates.

        If VDOMs are enable, got to Global > System > Certificates.

      2. Click Import > CA Certificate.
      3. Set the Type to File and upload the CA certificate file from the management computer.

      4. Click OK.

        The imported CA certificate is named CA_Cert_N, or G_CA_Cert_N when VDOMs are enabled, where N starts from 1 and increments for each imported certificate, and G stands for global range.

      5. Click Import > Local Certificate.
      6. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate name.

      7. Click OK.

        The imported certificates are listed on the Certificates page.

    3. Change the WiFi certificate settings:
      config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end

    Notes

    Note

    If necessary, the factory default certificates can also be used to replace the certificates:

    config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

    As the factory default certificates are self-signed, WiFi clients will need to accept it at the connection prompt, or import the Fortinet_CA certificate to validate it.
    Caution

    If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring any prompted warning messages or bypassing Validate server certificate (or similar) options.
    Tooltip

    With FortiOS 6.0.1 and later, the Fortinet_Wifi certificate can be updated automatically through the FortiGuard service certificate bundle update.
    Previous
    Next

    Replacing the Fortinet_Wifi certificate

    Replacing the Fortinet_Wifi certificate

    Note

    These instruction apply to FortiWiFi devices using internal WiFi radios and FortiGate/FortiWiFi devices configured as WiFi Controllers that are managing FortiAP devices, and have WiFi clients that are connected to WPA2-Enterprise SSID and authenticated with local user groups.

    On FortiOS, the built-in Fortinet_Wifi certificate is a publicly signed certificate that is only used in WPA2-Enterprise SSIDs with local user-group authentication. The default WiFi certificate configuration is:

    config system global
    set wifi-ca-certificate "Fortinet_Wifi_CA"
    set wifi-certificate "Fortinet_Wifi"
end

    WiFi administrators must consider the following factors:

    • The Fortinet_Wifi certificate is issued to Fortinet Inc. with common name (CN) auth-cert.fortinet.com. If a company or organization requires their own CN in their WiFi deployment, they must replace it with their own certificate.
    • The Fortinet_Wifi certificate has an expire date. When it is expiring, it must be renewed or replaced with a new certificate.
    To replace the Fortinet_Wifi certificate:
    1. Get new certificate files, including a root CA certificate, a certificate signed by the CA, and the corresponding private key file:

      Purchase a publicly signed certificate from a commercial certificate service provider, or generate a self-signed certificate.

    2. Import the new certificate files into FortiOS:
      1. On the FortiGate, go to System > Certificates.

        If VDOMs are enable, got to Global > System > Certificates.

      2. Click Import > CA Certificate.
      3. Set the Type to File and upload the CA certificate file from the management computer.

      4. Click OK.

        The imported CA certificate is named CA_Cert_N, or G_CA_Cert_N when VDOMs are enabled, where N starts from 1 and increments for each imported certificate, and G stands for global range.

      5. Click Import > Local Certificate.
      6. Set the Type to Certificate, upload the certificate file and key file, enter the password, and enter the certificate name.

      7. Click OK.

        The imported certificates are listed on the Certificates page.

    3. Change the WiFi certificate settings:
      config system global
    set wifi-ca-certificate <name of the imported CA certificate>
    set wifi-certificate <name of the imported certificate signed by the CA>
end

    Notes

    Note

    If necessary, the factory default certificates can also be used to replace the certificates:

    config system global
    set wifi-ca-certificate "Fortinet_CA"
    set wifi-certificate "Fortinet_Factory"
end

    As the factory default certificates are self-signed, WiFi clients will need to accept it at the connection prompt, or import the Fortinet_CA certificate to validate it.
    Caution

    If the built-in Fortinet_Wifi certificate has expired and not been renewed or replaced, WiFi clients can still connect to the WPA2‑Enterprise SSID with local user-group authentication by ignoring any prompted warning messages or bypassing Validate server certificate (or similar) options.
    Tooltip

    With FortiOS 6.0.1 and later, the Fortinet_Wifi certificate can be updated automatically through the FortiGuard service certificate bundle update.
    Previous
    Next