Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
sfernando
Staff
Staff

Created on ‎08-19-2024 11:37 PM Edited on ‎08-20-2024 09:07 AM By Community Manager

Article Id 332548

Technical Tip: Creating certificates on FortiAuthenticator and using them on FortiGate IPsec (Other application)

Description

This article explains the step-by-step process to create CA (certificate authority) certificates and certificates via FortiAuthenticator and use them on different applications (IPsec) where certificate authentication is required.
Scope Creating certificates on FortiAuthenticator and applying them on FortiGate.
Solution

Step 1: Creating Local CA certificate on FortiAuthenticator.

Creating a local CA on FortiAuthenticator

             

The created local CA certificates will be displayed as below.

 

picture3.jpg

 

Step 2: Upload the CA certificate to FortiGate under the remote CA certificate.

 

picture5.jpg

 

picture6.jpg

 

Step 3: Generate CSR from FortiGate.

 

picture7.jpg

 

picture8.jpg                       

Under certificates, it will appear as pending.

 

picture9.jpg

 

Select it and download it as per the below screenshot.

 

picture10.jpg

 

Step 4: Go to the FortiAuthenticator, upload the downloaded certificate using the import button, and sign the request.

 

picture11.jpg

 

picture12.jpg

 

Step 5: After successfully signing the certificate, export it to be used in the FortiGate.

 

picture13.jpg

 

Step 6: Import the certificate to the FortiGate local certificate store as below.

 

picture14.jpg

 

picture15.jpg

 

picture16.jpg
After the successful creation of the certificate, it will be possible to see the certificate as below.

picture17.jpg
Note 1: It is necessary to do this process for 2 certificates for the 2 FortiGate devices that are used for IPsec (steps 2 to 6).

Note 2: In this article, it is used an IPsec between 2 FortiGates with certificate authentication. During the creation via the template, it is necessary to provide the certificate as well as the CA certificate of the remote end certificate to verify (in this case, both use the same CA certificate).

FortiGate IPsec configuration will look as below:

FortiGate1 FortiGate2
config vpn ipsec phase1-interface
    edit "IPSECser"
        set interface "port1"
        set authmethod signature
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: IPSECser (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 10.56.246.21
        set certificate "ipsecclient" <-- Certificate uploaded.
        set peer "ipsecclientcert"
    next
end		 config vpn ipsec phase1-interface
    edit "IPSECcert"
        set interface "port1"
        set authmethod signature
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: IPSECcert (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 10.56.242.20
        set certificate "ipsecserver"
        set peer "ipsecservercert"
    next
end
config user peer
    edit "ipsecclientcert"
        set ca "CA_Cert_1"   <-- CA certificate of the peer.
    next
end		 config user peer
    edit "ipsecservercert"
        set ca "CA_Cert_2"
    next
end

 

Note 3: This can also be used in FortiGate's connected SSL VPN user and server with certificate authentication and other used cases as well.

Note 4: If using a public CA, it is possible to generate a CSR and the device will communicate with the public CA to get the certificate signed. It will be an automatic process.
1144
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.