Created on
01-25-2016
02:20 PM
Edited on
01-30-2024
02:49 AM
By
Kate_M
Description
Scope
These steps were tested on Windows 7, Windows XP and Windows Server 2008 R2.
Solution
1) Access Certificate Services from a Domain Member PC
Step 1: Log into a Domain Member PC, and start a Microsoft© Management Console session. Press Windows Key + R ; Type in "mmc.exe".
Step 2: Add the Certificates Snap-In; Go to File > Add/Remove Snap-In > Certificates > Add. This will generate another prompt. Select "My User Account". This will pull up the logged in User's Certificate stores.
2) Request a User Certificate
Step 1: Expand the Personal Folder, and right click on the Certificates Folder. Go to All Tasks > Request New Certificate.
Step 2: Follow the Certificate Enrollment Wizard. Ensure your settings match the following screenshots.
Step 3: Once the enrollment completes, the new Certificate should now appear under Personal > Certificates Folder. Ensure the Intended Purposes column lists Encryption and Authentication.
If either of these attributes are missing, then the User Enrollment policy needs to be modified on the Windows Certificate Authority Server. If everything matches, then you have successfully requested and obtained a User Certificate.
NOTE: The key icon indicates that this certificate store has both the public key and private key for this Certificate.
3) Export the Certificate Key Pair
Step 1: Now that we have a User Certificate we can export the Certificate Key pair. This will allow us to deploy the User Certificate on a remote workstation to use with FortiClient.
From the same Microsoft© Management Console expand the Personal Folder, and right click on the Certificates Folder. Go to All Tasks > Export...
Step 2: Follow the Certificate Export Wizard. Ensure your settings match the following screenshots.
Step 3: Complete the Certificate Export Wizard by selecting a destination to save the PFX file. Once the Wizard completes, you will have a PFX file that can be installed on any workstation.
NOTE: The key icon indicates that this PFX file has both the public key and private key. Even though this file is protected with a password, take care not to let this file fall into unauthorized hands.
3) Install the PFX file on a remote PC for use with FortiClient
Step 1: Find a secure method of transporting the PFX file to the local storage of the remote Workstation.
Step 2: Double-click the PFX file. This will start the Certificate Import Wizard. Ensure your settings match the following screenshots.
Step 3: Once the Certificate Import Wizard completes, you should see two Certificates in your Personal Certificate Folder. One will be the User Certificate, and the other will be the CA Certificate.
The CA Certificate belongs in the Trusted Root Certification Authorities Folder.
Step 4: Verify that FortiClient recognizes this imported Certificate. Run FortiClient and configure any VPN to use Certificates. You should be able to select the imported Certificate.
Step 5: Once you've verified that the Certificate is recognized by FortiClient, destroy all copies of the PFX file.