Technical Tip: FortiGate Certificate-based IPsec VPN Configuration

When configuring IPsec VPN with certificate-based authentication, both peers must be able to validate the certificate chain presented during IKE authentication.

The client leaf certificate and the server leaf certificate installed on the FortiGate must chain to the same trusted CA hierarchy when a specific CA is configured for peer validation. Proper chain validation is mandatory for successful authentication.

Additional details about this requirement are explained in Dial-up IPsec VPN with certificate authentication.

In typical deployments, a Root CA signs one or more Intermediate (subordinate) CAs, which then issue the actual leaf certificates. Authentication succeeds only if the full certificate chain (Leaf -> Intermediate(s) -> Root) can be validated and the Root CA is trusted.

Trust Requirements:

For mutual certificate authentication to succeed when a CA is defined under the IPsec peer configuration:

• The client certificate must chain to the configured trusted CA.

• The FortiGate server certificate must also chain to the same trusted CA.

• Both certificate chains must terminate at the same Root CA (or the same CA hierarchy).

There is no implicit trust relationship between different Root CAs in this configuration context. Validation succeeds only when both certificates ultimately belong to the same trust chain.

Consider the following example of a scenario that will not work:

• Client certificate signed by an internal private CA.
• Client has a public Root CA in its trust store.
• Server certificate signed by a public CA.
• Server has both the public CA and the internal private CA in its trust store.

Although each side may individually trust the other's issuing CA, authentication fails because the certificates do not chain to the same configured CA hierarchy.