Technical Tip: IPsec gateway authentication using computer certificate fails after upgrade to FortiClient v7.4.4
| Description | This article describes a known issue preventing the use of computer certificates for authenticating to IPsec VPN after upgrading to FortiClient Windows v7.4.4. |
| Scope | FortiClient Windows v7.4.4. |
| Solution | FortiClient can access certificates in the computer store for authenticating to the IPsec VPN:
Note: Even if computer account certificates are visible in FortiClient, 'Allow non-administrators to use machine certificates' must be checked in EMS, or '<run_fcauth_system>' must be enabled in XML configuration for FortiClient to have access to the certificate private key.
In FortiClient Windows v7.4.3 and v7.2.x versions, this works as expected. After upgrading to v7.4.4, the IPsec VPN connection fails to establish with a 'CertificateSignFailed' error (the certificate is still selectable in FortiGate GUI).
This is a result of a permissions issue triggered by the upgrade and is tracked as Issue ID# 1205084, see New Known Issues. A fix is scheduled for inclusion in the upcoming FortiClient v7.4.5.
FortiClient can access system certificates in the logged-in user's user store without additional configuration.
Related document: Access to certificates in windows certificates stores
Resolution: Upgrade to FortiClient Windows v7.4.5 and ensure <run_fcauth_system> is enabled.
<run_fcauth_system>1</run_fcauth_system>
Workaround: |
