Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
sthapa
Staff
Staff

Created on ‎01-28-2021 12:27 AM Edited on ‎06-21-2025 12:45 PM By Moderator

Article Id 192583

Technical Tip: SSL VPN PKI user based authentication with FortiAuthenticator as Local CA authority

Description

 

This article describes SSL VPN PKI user-based authentication with FortiAuthenticator as a Local CA authority.

 

Scope

 

FortiGate, FortiClient.


Solution

 

The FortiOS supports PKI users for SSL VPN authentication as standalone authentication or with two-factor authentication.

The following certificates have been used for this authentication, which has been generated from FortiAuthenticator.

 

  • Intermediate CA Certificate.
  • Root CA certificate.
  • User certificate.

 

  1. Create the above certificate from the FortiAuthenticator. Go to Certificate -> Management -> Certificate Authorities -> Root CA.

 
  1. Create an Intermediate CA Certificate from the FortiAuthenticator. Go to Certificate Management -> Certificate Authorities -> Intermediate CA.

Select Certificate Authority as Root CA, which we had configured in the previous setup.

 
  
  1. Create a user Certificate from the FortiAuthenticator. Go to Certificate Management -> End Entities -> Create New User Certificate.
  • Select the intermediate CA certificate that has been configured in step 2.
  • Configure the certificate Subject Alternative Name, which is used in FortiGate to validate the Client certificate against the FortiGate PKI user.
 
 
  1. Export root CA, Intermediate CA, and client certificate from the FortiAuthenticator.
  2. Import the root CA and Intermediate CA certificates in the FortiGate to trust the client certificate.
To import the Intermediate CA certificate in the FortiGate, go to System -> Certificates -> Import -> Local CA -> PKCS # 12 Certificate and select the 'Key' file and password.
 
 
To import the CA certificate in the FortiGate, go to System -> Certificates -> Import -> CA Certificate -> File.
 
 
  1. Create PKI users and groups for SSL VPN authentication.
 
config user peer
    edit "user1"
        set ca "CA_Cert_1"             <----- Select the root CA certificate.
        set subject "user1@gmail.com"  <----- Subject should match the user certificate.
    next
end
 
Add the PKI users to PKI groups.
 
config user group
    edit "SSL_PKI"
        set member "user1"
    next
end
 
Then, map the above group in the SSL VPN authentication rule.
 
  1. Then, import the Client and Root CA certificates on the client machine.
  • Import Root CA Certificate under 'Trusted root Certificate Authority'.
  • Import the Client certificate under the 'Personal' folder.

  1. Configure the FortiClient and select the Client certificate for SSL VPN PKI authentication.

 

 
 
 
Result.
 
6219
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.