FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Article Id 190149



This article describes the steps necessary to setup a FortiAuthenticator as a subordinate certificate authority in a Windows Active Directory Domain environment that has an established Windows Certificate Root Authority.

This type of trust chain will establish the FortiAuthenticator as a trusted subordinate certificate authority for all domain member workstations. This will allow seamless certificate management with the FortiAuthenticator as there will be no need to push out new root certificates to domain workstations due to the trust chain already containing a trusted root authority.


This article assumes an active Windows Certificate Authority has been deployed. These steps have been tested with Microsoft Windows Server 2008 R2.


1) On the FortiAuthenticator, create an Intermediate CA certificate signing request.  Ensure to supply all the fields as required.


2) Download the certificate signing request.

3) Access the Windows AD Certificate Services web enrollment page (https:///certsrv).  This page will be used to submit an advanced certificate request.


4) On the Advanced Certificate Request page, paste in the contents of the CSR that was downloaded in step 2. Select the 'Subordinate Certification Authority' template.


5) Once the request is complete, download the certificate as Base 64.


6) Import the downloaded certificate back into the FortiAuthenticator as a local certificate.



7) At this point, download the final certificate to verify.  The chain should show the Windows Certificate Authority as the root authority, and the FortiAuthenticator as the subordinate authority.