Setting the certificates used by the Fortigate

Admin Server Certificate

This is the certificate presented upon logging into the Fortigate for administrative access.

config system global
set admin-server-cert CustomCert

Authentication Certificate

This is the certificate used when the Fortigate needs to authenticate a user when they are visiting an HTTPS page.

config system global
set auth-cert CustomCert

Blocked page certificate

This is the certificate used to display the blocked page message when a user visits an https blocked page:

config system global
set user-server-cert CustomCert


 Authentication Server Redirect page

When a user needs to authenticate they will be redirected to the Fortigate auth page via it’s IP address, it the server certificate was issued with CN=domain name then the invalid certificate message will be displayed, you’ll want to redirect the auth page to it’s domain name in order to match the certificate. This is configured in the firewall policy when the identity based option is selected

config firewall policy
edit <policyID>
set auth-redirect-addr

SSL VPN Certificate

This is the certificate users will be presented with when accessing the SSL VPN:

config vpn ssl settings
set servercert CustomCert

SSL Proxy Certificate

This is the certificate used to perform the man-in-the-middle attack when HTTPS deep inspection is turned on. This must be a key signing certificate:

config firewall ssl setting
set caname CustomCert


Leave a Reply