Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
jintrah_FTNT
Staff
Staff

Created on ‎09-21-2015 05:22 AM Edited on ‎10-30-2025 06:45 AM By Staff

Article Id 197820

Technical Tip: How to configure IPsec dialup VPN with certificate based authentication

Description

 
This article explains how to configure the IPsec dial-up VPN with certificate-based authentication.
 
Scope
 
FortiClient.


Solution

 

Requirements:
  • CA certificate.
  • Server certificate.
  • Client certificate.
The following example deploys OpenSSL commands to generate the required certificates.
  1. Generate CA Certificate ca.crt:

opensslgenrsa -des3 -out ca.key 4096
opensslreq -new -x509 -days 365 -key ca.key -out ca.crt
 
  1. Generate Server Certificate server.crt:

opensslgenrsa -des3 -out server.key 4096
opensslreq -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkeyca.key -set_serial 01 -out server.crt
 
  1. Generate Client Certificate client.crt and convert to .p12 format for exporting with private keys:

opensslgenrsa -des3 -out client.key 4096
opensslreq -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkeyca.key -set_serial 01 -out client.crt
openssl pkcs12 -export -in client.crt -inkeyclient.key -certfile ca.crt -name "test" -out client.p12
 
  1. FortiGate and FortiClient Configuration:
  1. Import CA and Server certificates on FortiGate.
                                                                  
2025-04-09 12_43_46-Window.png

 

  1. Configure the user peer and the peer user group.

config user peer
    edit user1
        set ca CA_Cert_2
end

config user peergrp
    edit user_group1
        set member user1
end
 
  1. FortiGate IPsec config.
2025-04-09 12_45_13-Window.png

 

  1. FortiClient config: The CA certificate must be imported and placed in the Trusted Root Certification Authorities. Select Authentication Method in the IPsec VPN connection settings.

FCT1.jpg

 

 To upload a user certificate on a Windows end-device, open Run window, type certmgr.msc and press enter:

 

FCT2.jpg

 

On the left pane, expand Personal -> Certificates - Right click over Certificates -> All Tasks -> Import.
FCT3.jpg

 

Select the Next button:
FCT4.jpg

 

Select the Browse button and navigate to the folder that contains the user certificate file, select the Open button, and select the Next button.

 

FCT5.jpg

 

Place this user certificate in the user certificate store:

 

FCT6.jpg

 

Select the Finish button:

 

FCT7.jpg

 

The user certificate must appear in the Certificates folder:

 

FCT8.jpg

 

This certificate can be selected on FortiClient to negotiate VPN:

 

FCT9.jpg

 

Related article:

Technical Tip: PKI peer user/usergroup creation for certificate authentication

20654
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.