Technical Tip: How to create an OpenSSL certificate to authenticate PKI users on FortiGate with a dial-up tunnel

Requirements:

• A CA certificate that signs user certificates.
• A client certificate signed by the CA.
• A server certificate signed by the CA.
  
  

This article will use the creation of a self-signed CA, a client certificate signed by the CA, and a server certificate signed by the CA using OpenSSL.

The following templates will be used to create the above in this example. Create 3 text files, add the template for each, and change the extension from .txt to .cnf.

CA certificate template (RootCA.cnf).

[req]  distinguished_name     = req_distinguished_name req_extensions         = v3_req  [ v3_ca ] subjectKeyIdentifier    = hash authorityKeyIdentifier  = keyid:always,issuer basicConstraints        = critical, CA:TRUE, pathlen:3 keyUsage                = critical, cRLSign, keyCertSign nsCertType              = sslCA, emailCA subjectAltName          = ﹫alt_names  [ req_distinguished_name ] countryName             = Country Name (2 letter code) stateOrProvinceName     = State or Province Name (full name) localityName            = Locality Name (eg, city) organizationName        = Organization Name (eg, company) commonName              = Common Name (e.g. server FQDN or user's name)  [ v3_req ] basicConstraints        = CA:FALSE keyUsage                = nonRepudiation, digitalSignature, keyEncipherment  extendedKeyUsage        = serverAuth, clientAuth subjectAltName          = ﹫alt_names  [ alt_names ] DNS.1 = gbt.local

client certificate template (Client.cnf).

[ req ] default_bits             = 2048 distinguished_name       = req_distinguished_name req_extensions           = v3_req x509_extensions          = v3_req  [ req_distinguished_name ] countryName              = Country Name (2 letter code) stateOrProvinceName      = State or Province Name (full name) localityName             = Locality Name (eg, city) organizationName         = Organization Name (eg, company) commonName               = Common Name (e.g. server FQDN or user's name)  [ v3_req ] subjectKeyIdentifier    = hash basicConstraints        = critical,CA:false subjectAltName          = DNS:gbt.local,DNS:vpn.gbt.local keyUsage                = critical,digitalSignature,keyEncipherment extendedKeyUsage        = clientAuth

server certificate template (Server.cnf).

[ req ] default_bits          = 2048 distinguished_name    = req_distinguished_name req_extensions        = v3_req x509_extensions       = v3_req  [ req_distinguished_name ] countryName           = Country Name (2 letter code) stateOrProvinceName   = State or Province Name (full name) localityName          = Locality Name (eg, city) organizationName      = Organization Name (eg, company) commonName            = Common Name (e.g. server FQDN or user's name)  [ v3_req ] subjectKeyIdentifier  = hash basicConstraints      = critical,CA:false subjectAltName        = DNS:gbt.local,DNS:vpn.gbt.local keyUsage              = critical,digitalSignature,keyEncipherment extendedKeyUsage      = serverAuth

Create the certificates.
First, install OpenSSL for Windows.
Copy the templates previously created to the OpenSSL folder. Then, open the command line as an administrator and navigate to the OpenSSL folder.
For example: C:\Program Files\OpenSSL-Win64\bin.

Create the CA certificate by running the following commands:

1. Generates a 2048-bit RSA private key, encrypts it with AES-256, and saves it to ca.key.
2. Creates a self-signed X.509 root certificate, valid for 3650 days, signed with the private key ca.key, using SHA-256, CA extensions (v3_ca), and the configuration in RootCA.cnf, and saves it as ca.pem.

openssl.exe genrsa -aes256 -out ca.key 2048 [ENTER A PASSWORD]  openssl.exe req -new -x509 -extensions v3_ca -days 3650 -key ca.key -sha256 -out ca.pem -config RootCA.cnf [ENTER THE INFORMATION REQUESTED]

The ca.key file and a CA certificate named ca.pem should now be available:

Create the client certificate by running the following commands: 

1. Generate a 2048-bit RSA private key (client.key).
2. Create a certificate signing request (client.csr) using client.cnf.
3. Sign the CSR with the CA (ca.pem / ca.key) to issue a client certificate (client.pem), valid for 1024 days with SHA-256 and v3_req extensions.
4. Export the client key and certificate (plus CA certificate) into a PKCS#12 bundle (client.pfx).

openssl.exe genrsa -out client.key 2048 openssl.exe req -new -key client.key -out client.csr -config client.cnf openssl.exe x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 1024 -sha256 -extfile client.cnf -extensions v3_req openssl.exe pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.pem

The files below, and the client.pfx PKCS#12 bundle, should now be available:

Create the server certificate by running the following commands:

1. Generates a 2048-bit server private key (server.key).
2. Creates a CSR (server.csr) using that server key and server.cnf.
3. Signs the CSR with the CA (ca.pem / ca.key) to issue a server certificate (server.pem), valid for 1024 days with SHA-256 and v3_req extensions.
4. Exports the server key, server certificate, and CA certificate into a PKCS#12 bundle (server.pfx).

openssl.exe genrsa -out server.key 2048 openssl.exe req -new -key ca.key -out server.csr -config server.cnf openssl.exe x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 1024 -sha256 -extfile server.cnf -extensions v3_req openssl.exe pkcs12 -export -out server.pfx -inkey ca.key -in server.pem -certfile ca.pem

The files below, and the server.pfx PKCS#12 bundle, should now be available:

Import the server certificate to the FortiGate.

It is time to import the ca.key, ca.pem, and server.pem files into FortiGate.

1. Navigate to System -> Certificate -> Create/Import.
   Select Import Certificate -> Select Type Certificate.
2. Upload server.pem.
3. Upload ca.key.
4. Enter the correct password and select Create.

The server certificate should now show under Local Certificate:

Import the CA Certificate to the FortiGate.

Navigate to System -> Certificate -> Create/Import:

Repeat the steps above with ca.pem.

The CA Certificate should now show under Remote CA Certificate:

Import the client certificate and the CA into the Windows Client.

Required files: Client.pfx, ca.pem.

Install the client certificate on the Client Windows system.
In the Wizard, select Store Location -> Local Machine -> Next.

Import Client.pfx -> Next -> Enter the password previously created on OpenSSL -> Next -> Select Place all certificates in the following store and select Personnel -> Next -> Finish.

The client certificate should now be available under the certificate store:

Install the CA certificate.

Change the file extension of ca.pem to ca.cer. Open it and select Install Certificate -> Store Location -> Local Machine -> Next -> Select Place all certificates in the following store -> Select Trusted Root Certification Authorities -> Next -> Finish.

The CA Certificate should now be available under the certificate store trusted root:

Configure PKI users on the FortiGate.

config user peer     edit User2         set ca CA_Cert_1         set cn Gabriel end

In this example, the desired outcome is for the FortiGate to look at the CN field in the certificate subject provided by the Client.

Assign a PKI user to a group on the FortiGate.

config user peergrp     edit pki_users         set member User2 end

Configure the dial-up IPsec tunnel.

config vpn ipsec phase1-interface     edit "Dialup"         set type dynamic         set interface "port1"         set ike-version 2         set local-gw 10.9.10.62         set authmethod signature         set peertype peergrp         set net-device enable         set mode-cfg enable         set proposal aes256-sha512         set dpd on-idle         set dhgrp 14         set certificate "server"         set peergrp "pki_users"         set ipv4-start-ip 10.10.10.10         set ipv4-end-ip 10.10.10.20         set dns-mode auto         set ipv4-split-include "Dialup_split"         set save-password enable         set dpd-retryinterval 60     next end

In this example, the settings have been changed to assign the peertype to peergrp, authmethod to signature, and set the certificate for use with the authmethod of signature.

set authmethod signature set peertype peergrp set certificate "server" set peergrp "pki_users"

Configure FortiClient:

• In the FortiClient, select Create a new VPN connection.
• Fill in the required information.
• Select X.509 Certificate as the Authentication method.
• Select the client certificate.

Ensure that, under Advanced Settings, the Phase 1 and Phase 2 information match the information configured on the FortiGate.

Save the changes and try to connect using the client certificate.

Troubleshooting steps.

1. Debug on the FortiGate side to see if traffic is being received.

Open the CLI and run the following:

diagnose debug console timestamp enable diagnose debug application ike -1 diagnose debug application eap_proxy -1 (for use with IKEv2) diagnose debug application fnbamd -1 diagnose debug enable

2. Download the debug logs from the FortiClient. Navigate to Settings -> Logging -> Export Logs.

If the error message 'IKE phase1 authentication fail as peer’s certificate is not verified' occurs, ensure the CA certificate was installed under the Trusted Root Certification Authorities.

If the issue persists, contact Fortinet Support for more assistance.
Note that OpenSSL is not supported or endorsed by Fortinet. In this article, OpenSSL is used to create a certificate with its keypair, and the respective keypair must be present for use. Subject or certificate details may differ and are freely definable. At the time of writing, there is an open-source OpenSSL frontend that can be helpful to create certificates, called XCA. It is also not supported by Fortinet, but it may, however, ease the creation of certificates more intuitively.