Forticlient SSL VPN with Certifcates generated by Microsoft CA

Question

Hi All,

I have a strange problem when trying to use a client certificate for SSL VPN authentication where the client certificate was issued by the Microsoft CA. The certificate is a local machine certificate and was one that the CA had already generated and the "intended purpose" of the certificate was "client authentication only". From the client machine, Forticlient was not able to select this certificate to use for its client certificate. Does anyone know if Forticlient requires any specific certificate properties for a client certificate? I am wondering what other certificate properties/attributes need to be set from the Microsoft template in order for the certificate to work correctly with Forticlient for SSL VPN authentication.

I cannot find any document which details what certificate properties/attributes are required in the Microsoft template for Forticlient SSL VPN authentication work correctly. It certainly does not work with the "client authentication" only intended purpose ( which I think is set from certificate extended usage) - - can anyone provide any pointers as to what is acutally required from the Microsoft template for the certificate to work correctly for Forticlient SSL VPN?

The Forticlient version I am using is 5.6 but the same problem also happens on 5.4

Any help appreciated.

Moby.

oheigl · Answer

I guess you need access to the private key of the computer certificate to use it with SSL-VPN, IPsec VPN doesn't have this limitation.

You can read more about it in the FortiClient Administration Guide (Access to certificates in Windows Certificates Stores:(

If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged on user is an administrator or a non-administrator. For SSL VPN, the administrator needs to grant permission to users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not apply to any user with administrator level permission. IPsec VPN does not have this exception. If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully logged in, and the same user imported the certificate. In all other scenarios, FortiClient might be unable to access the certificate

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded