Description
Solution
This article describes how to login with certificates without the need to use username/password.
In the example below, a FortiAuthenticator extension is used as a local Certificate Authority (CA), but any other CA setup can be used to generate the client certificates.
The same process applies for FortiAnalyzer.
Solution
1) First go to FortiAuthenticator which is exist on FortiManager and enable it.
Go to Management extension -> fortiAuthenticator.
2) Go to Certificate Management -> Certificate Authorities -> Local CAs.
It will be necessary to create CA certificate as shown below.
3) Export it and save it to the local PC.
4) Create user certificate to be used in the browser later.
Go to Certificate Management -> End Entities -> Users.
5) This time will need to export the cert and key then download it to the local PC.
6) Go to System setting -> certificate -> CA certificate and import the CA certificate only.
7) Will need to create administrative user and make sure of the below.- Go to System Settings -> Admin -> Administrator.- Select 'Create New'. The New Administrator dialog box opens.- Select PKI for the Admin Type.- Enter a comment in the Subject field, which must be the same in the certificate or it is possible to get it from FortiAuthenticator user cert details.- Select the CA certificate from the dropdown list in the CA field..- Select 'OK' to create the new administrator account.
8) Now it is necessary to insert the user certificate to the browser, with below steps, be noted that while exporting the user certificate, it is exported with a key in 5), which will be used while inserting it to the browser as shown below.
Go to browser advanced settings, search for certificate, then add it to the list.
Here, the password used, will be the same at exporting the certificate step.
9) It is necessary to enable the PKI service through SSH, which is not affected by this process, so in case it will be necessary to rollback, just disable it with same steps.
# config system globalset clt-cert-req enableend
10) Try to login to the FortiManager and it will be necessary to get the below prompt, just select the name and it will be possible to go.
11) It is possible now tologin with the created administrator user.
Finally, there are 2 expected errors:
Firstly, User invalid certificate is invalid, which usually because the parameters used while created the administrative user in 7) are wrong.
Secondly, the below error page, which usually means certificate is not imported correctly to the browser or the certificate need to be recreated correctly.
Troubleshooting section.
# diagnose debug application auth 255# diagnose debug timestamp enable# diagnose debug enable
# diagnose debug application fnbam 255# diagnose debug timestamp enable# diagnose debug enable
As seen in the below picture, it points me that subject not match, then copy the certificate subject and correct it to administrative user as we did in step 7).
