FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Debbie_FTNT
Staff
Staff
Article Id 193246
Description
This article explains how to ensure that FortiClients can use certificates from Local machine certificate store for authentication with SSLVPN.

Solution
FortiClient can use certificates as the only, or as an additional method of authentication when connecting to an SSLVPN gateway.
In some instances, it can be desirable to use machine certificates in that connection, not user certificates.

FortiClient allows certificates from Local machine certificate store to be used.
However, some configuration and permissions need to be set:


1) The user account FortiClient is running under needs permission to access the  Local machine certificate store.

2) The certificate is visible for selection in the VPN connection settings if proper permissions are set.

3) The VPN connection needs to have usage of  Local machine certificate store explicitly enabled.
This can be done by modifying the FortiClient configuration as follows:


- Export the FortiClient backup from the 'Settings’ menu.

- Open the resulting file in a text editor.
The FortiClient configuration is laid out as an XML file.

- In the VPN section, set the following:

<vpn>
<sslvpn>
<connections>
<connection>
<name>VPN_connection</name>
<certificate> [...]
</certificate>
<allow_standard_user_use_system_cert>1</allow_standard_user_use_system_cert>
[...]
</connection>
</connections>
</sslvpn>
</vpn>
- Save the change, then import the modified configuration into FortiClient.
This might require unlocking FortiClient for changes.


Related links:

How to view certificates on a Windows Computer:
https://docs.microsoft.com/en-us/dotnet/framework/wcf/feature-details/how-to-view-certificates-with-...

Ensuring FortiClient has proper access:
https://help.fortinet.com/fclient/olh/5-4-3/Content/FortiClient-5.4-Admin/1100_Remote%20Access/811_A...

Contributors