Created on
02-27-2017
08:11 AM
Edited on
02-25-2025
01:08 AM
By
Jean-Philippe_P
Description
This article describes how to configure administrator certificate-based authentication on the FortiGate.
The following certificates are required to configure Admin certificate authentication:
Scope
FortiGate.
Solution
To configure Admin certificate-based authentication, follow the steps below:
On the FortiGate:
config system admin
edit admin-username
set peer-auth enable
set accprofile super_admin
set peer-group PKI-group
end
On the user's PC:
Import the user certificate which must be signed by the CA_Cert_1, on the web browser. Verify that the certificate is in the 'Personal Store'.
Results:
FGT-5_4 # di de en
FGT-5_4 # [2197] handle_req-Rcvd auth_cert req id=1168321813
[1440] check_cert-Certificate chain depth 0, max chain depth 8
[1445] check_cert-Subject name 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1446] check_cert-Issuer name 'C = US, ST = Florida, L = Sunrise, O = Fortinet, OU = Fortinet-TAC, CN = CA-root, emailAddress = email@email.com'
[1376] chain_verify-Trusted CA found: CA_Cert_1
[1922] fnbamd_auth_cert_start-Cert subject 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1765] cert_check_group_list-checking group type 1 group name 'PKI-group'
[1658] check_add_peer-check peer user 'pki-admin' in group 'PKI-group', result is 0
[1783] cert_check_group_list-Matched group 'PKI-group'
[180] fnbamd_comm_send_result-Sending result 0 (error 0) for req 1168321813
FGT-5_4 # get system admin list
username local device vdom profile remote started
admin ssh port9:10.10.10.20:22 root super_admin 192.168.200.100:51326 2016-12-19 12:50:13
admin-username https port9:10.10.10.20:443 root super_admin 192.168.200.100:51740 2016-12-19 13:02:59
Related document:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.