Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
alih
Staff
Staff

Created on ‎11-10-2021 09:53 AM

Article Id 189599

Technical Tip: Login through PKI certificate

Description
This article describes how to login with certificates without the need to use username/password.

In the example below, a FortiAuthenticator extension is used as a local Certificate Authority (CA), but any other CA setup can be used to generate the client certificates.
The same process applies for FortiAnalyzer.

Solution
1) First go to FortiAuthenticator which is exist on FortiManager and enable it.

Go to Management extension -> fortiAuthenticator.




2) Go to Certificate Management -> Certificate Authorities -> Local CAs.

It will be necessary to create CA certificate as shown below.




3) Export it and save it to the local PC.




4) Create user certificate to be used in the browser later.

Go to Certificate Management -> End Entities -> Users.




5) This time will need to export the cert and key then download it to the local PC.







6) Go to System setting -> certificate -> CA certificate and import the CA certificate only.




7) Will need to create administrative user and make sure of the below.

- Go to System Settings -> Admin -> Administrator.
- Select 'Create New'. The New Administrator dialog box opens.
- Select PKI for the Admin Type.
- Enter a comment in the Subject field, which must be the same in the certificate or it is possible to get it from FortiAuthenticator user cert details.
- Select the CA certificate from the dropdown list in the CA field..
- Select 'OK' to create the new administrator account.





8) Now it is necessary to insert the user certificate to the browser, with below steps, be noted that while exporting the user certificate, it is exported with a key in 5), which will be used while inserting it to the browser as shown  below.

Go to browser advanced settings, search for certificate, then add it to the list.




Here, the password used, will be the same at exporting the certificate step.






9) It is necessary to enable the PKI service through SSH, which is not affected by this process, so in case it will be necessary to rollback, just disable it with same steps.

# config system global
    set clt-cert-req enable
end

10) Try to login to the FortiManager and it will be necessary to get the below prompt, just select the name and it will be possible to go.




11) It is possible now tologin with the created administrator user.




Finally, there are 2 expected errors:
Firstly, User invalid certificate is invalid, which usually because the parameters  used while created the administrative user in 7) are wrong.




Secondly, the below error page, which usually means certificate is not imported correctly to the browser or the certificate need to be recreated correctly.




Troubleshooting section.

# diagnose debug application auth 255
# diagnose debug timestamp enable
# diagnose debug enable

# diagnose debug application fnbam 255
# diagnose debug timestamp enable
# diagnose debug enable

As seen in the below picture, it points me that subject not match, then copy the certificate subject and correct it to administrative user as we did in step 7).



4096
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.