Dialup IPSEC VPN with Certificate

Hi,

i'm having trouble setting up an IPSEC VPN for remote access using certificate instead of pre-shared key.

We've generated a CRS from the Fortigate unit and proceeded to get the certificate issued from a third party CA.

The certificate and the Root/Intermediate CA certs have been imported on the FG Unit (It's a 60E running FortiOS 6.0.5)

We then created the IPSEC VPN choosing signature as method and selected the new certificate.

But then it asks for a Peer Certificate which seems to be linked to a group, associated to a CA.

As far as I understand we need to provide each user using Forticlient VPN a certificate that needs to be accepted into this group, but where can these be obtained, or what are we doing wrong?

Thank you