Technical Tip: End-to-end configuration of certificate-based Web UI Login on FortiWeb
| Description | This article describes the complete procedure to configure certificate-based authentication for administrator access to the FortiWeb Web UI. Certificate-based login allows administrators to authenticate using a client certificate instead of a username and password. |
| Scope | FortiWeb. |
| Solution |
FortiWeb must trust the Certificate Authority (CA) that signed the administrator’s client certificate. Import the issuing CA certificate (for example, labCA.crt) to FortiWeb under System -> Admin -> Certificates -> Admin Certificate CA.
Note: It is essential to follow this step correctly. Import the administrator certificate into the local certificate store of the client system or browser in a format that includes the private key (such as .pfx or .p12). Certificates without the private key (for example, .cer, .crt, or .der) will not be selectable during browser authentication and will prevent successful login.
Navigate to User -> PKI User and select Create New. Enter a name for the PKI user and define the certificate subject, ensuring the CN (Common Name) matches the subject of the administrator's client certificate. Select the imported CA certificate and select OK. For example, C=FR, ST=IDF, L=Paris, O=LabOrg, CN=fw-admin-01 or use CN=fw-admin-01. Note: The Subject value must be extracted from the administrator client certificate. It is recommended to use only the Common Name (CN) (for example, CN=fw-admin-01) to avoid matching issues related to attribute order or case sensitivity.
Navigate to User -> User Group -> Admin Group and select Create New. Create Admin Group Member and add the PKI user by selecting PKI User as the user type. Select OK to save the configuration.
Navigate to System -> Admin -> Administrators. Edit the target administrator, set the Type to Remote User, and assign the previously created Admin Group under Admin User Group.
When accessing the FortiWeb Web UI over HTTPS, the browser prompts for a client certificate. If the certificate is valid, access is granted directly without displaying the username and password login page. If certificate authentication fails, FortiWeb redirects to the standard login page and records the failure event in the logs. For example: 'Login failed! Check certificate error! from GUI(10.1.1.1)'.
An example of a successful login:
An example of a failed login:
Conclusion: Certificate-based web UI login provides a secure and scalable method for administrator authentication. Correct CA trust configuration, accurate PKI user subject mapping (preferably using CN only), and proper Admin Group assignment are critical for successful authentication.
Related article: |
