Technical Tip: Certificate authentication for SSL VPN users matches if the account subject string on FortiGate matches part of the information in the certificate subject
| Description | This article describes the behavior of the certificate setting for PKI users |
| Scope | FortiGate. |
| Solution | By default, Certificate authentication matches, and the user can log in to SSL VPN if the account subject string on FortiGate matches part of the information in the certificate subject. If the requirement is that the PKI user's subject should fully match the certificate subject, the following settings can be adjusted:
config vpn certificate setting set subject-match substring|value end
The matching is substring-based by default, but this is configurable using the above CLI commands. 'value' means the exact match. |