Authenticate via SSH on the firewall with private certificate

It's actual  quite easy

1:  have  signed  certificate created by the CA

e.g 

here's my with a cn=kenfelix

2: import the CA certificate as "CA" certificate in  the fortigate

3: import the admin user certificates as local-certs ( PKCS aka pfx is preferred )

in my example;

The user-certificate was imported as a pfx as local certificate name "kenfelix" ( the FGT name  is the name you give it but to make it simpler name the certificate the same as the user imho )

config system admin

    edit "kenfelix"

        set accprofile "super_admin"

        set vdom "root"

        set ssh-certificate "kenfelix"

        set password ENC AK18aQFToT6tNApJ943A/YRIVnY+j/uQ7Texdw5UQbRm3w=

    next

end

Now, follow these instructions if your never used openssl and don't know how to extract a private-key

https://trueg.wordpress.com/2012/09/06/use-an-x-509-certificate-for-ssh-login/

Use the cli cmd get sys admin list for validation 

FGW (root) # get sys admin  list 

username   local    device                         vdom     profile      remote                 started     

kenfelix   ssh      wan1:x.x.x.x.x.x:22         root     super_admin  70.195.210.178:2552    2017-07-27 22:34:55

It's best to ensure the permission on the private-key are set as  700 ( for us unix/linux guys ;) )

Run the ssh-client in verbose mode for further diagnostics

e.g 

macbook:ssh kfelix$ ssh  -v -i kenfelix.pem kenfelix@xx.xx.xx.xx

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.

debug1: Connection established.

debug1: identity file kenfelix.pem type -1

debug1: identity file kenfelix.pem-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version q5baLW

debug1: no match: q5baLW

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5 none

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA c6:d7:bd:7f:60:0d:49:c4:10:e4:b6:0f:c4:a7:98:3a

debug1: Host 'xx.xx.xx.xxx' is known and matches the RSA host key.

debug1: Found key in /Users/kfelix/.ssh/known_hosts:9

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password

debug1: Next authentication method: publickey

debug1: Trying private key: kenfelix.pem

debug1: read PEM private key done: type RSA

debug1: Authentication succeeded (publickey).

Authenticated to xxxxxxxx ([xxxxxxxx]:22).

debug1: channel 0: new [client-session]

debug1: Entering interactive session.

debug1: Sending environment.

debug1: Sending env LANG = en_US.UTF-8

FGW # debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1

If all was done right, you should have "password-less" login.

if all goes bad, fallback is your set password 

I hope this helps 

;)

ken