Skip to main content
ddskier
ddskier
New Member
April 27, 2010
Question

SSL VPN Client - Require Client Certificate

  • April 27, 2010
  • 13 replies
  • 12060 views
I' m very frustrated with the SSL VPN " Require Client Certificate" functionality. Fortinet' s documentation isn' t the best on this issue. Support is also taking their sweet time giving me answers that don' t keep refering back to documentation. I' m running 4.0 MR1 - Patch 4. I have purchased a GoDaddy SSL certificate. Installed it on the Fortinet Unit and also installed GoDaddy' s " CA Certificate" on the unit itself. (Per Fortinet Documentation) I went ahead an install the SSL certificate on the client machine under the " Other People" and " Personal" certificate containers. However, no matter what I do, the fortinet unit will not allow my remote user to authenicate while I have the " Require Client Certificate" check box. What am I missing?

      13 replies

      Carl_Wallmark
      Carl_Wallmark
      New Member
      April 27, 2010
      Hi, The certificate for SSL VPN is a .p12 certificate, (a personal certificate) [:' (] You need to have that on your clients.
      ddskier
      ddskierAuthor
      New Member
      April 28, 2010
      Ugh. What would you recommend that I use to generate this certificate? Take current x.509 SSL cert and generate a .p12 cert? Use Open SSL? Thoughts?
      g3rman
      g3rman
      New Member
      April 28, 2010
      Use XCA (https://sourceforge.net/projects/xca/). Graphical frontend for OpenSSL. Works like a champ.
      A
      Anonymous_User
      New Contributor III
      May 4, 2010
      Can you please share the steps to create .p12 certificate using XCA? I have also purchased a standard certificate from goDaddy. Your help is appreciated!
      nsumner
      nsumner
      New Member
      May 5, 2010
      The question x2cao is what you are trying to accomplish. Requiring a certificate for your end users increases security, but is generally used with a token (IE if you don' t have the token you can' t connect). Just putting it on the laptop doesn' t increase security by a terribly large amount and creates an administrative nightmare.
      A
      Anonymous_User
      New Contributor III
      May 5, 2010
      Thanks for the suggestion, but we are only having limited amount of users to use this. In fact i don' t think it' s that hard to manage it because you can always deploy the cert to the staff through GPO. We just want to achieve higher security without additional costs.
      rlord
      rlord
      New Member
      May 5, 2010
      This is what I did. Installed Windows CA on Enterprise Server. You do not need Enterprise if you want to manually deploy user certificates. Imported the Windows CA Certificate into the Fortigate Then I used a CA template and AD GPO to auto generate client CA’s for each computer. When a user connects the system looks for the certificate trusted by the Windows CA as well as prompts the user for their login. I think your issue is as follows 1) Users or computers need to be issued a certificate 2) Take the CA Certificate for the CA used to deploy certificates to your users and upload this to the Fortigate. Hope that makes sense.
      A
      Anonymous_User
      New Contributor III
      May 5, 2010
      Thanks rlord... I have done that but I want to use a well known CA instead of hosting my own certificates. Anyone else on this forum is able to use a well known third party CA ex. Thawte, Verisign, Godaddy etc.
      rlord
      rlord
      New Member
      May 5, 2010
      x2cao, Then you' ll need client certs from the " well known CA" for your users. You have to have a chain of trust for the fortigate to accept the users. it is not like secure web were only the server needs an ssl certificate. In this case both parties need a certificate that has been issued by the same CA chain. At least that is how I understood it.
      A
      Anonymous_User
      New Contributor III
      May 6, 2010
      Hi rlord, I don' t think that' s how it works in the VPN world.... At first I thought the same way as you. But if you read the first few posts on this thread, you will know that all we need is convert the certificate to .p12 that' s why I want the list of steps to convert it.
      rlord
      rlord
      New Member
      May 7, 2010
      Hi rlord, I don' t think that' s how it works in the VPN world
      Well, I have SSL-VPN working with over 200 users. So, I am pretty sure thats how it works. But what do I know... right?
      A
      Anonymous_User
      New Contributor III
      May 6, 2010
      ddskier and g3rman where are you guys? I need your help...
      Show more replies
      Terms & ConditionsAccessibility statement