Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rleon
Staff
Staff

Created on ‎02-27-2017 08:11 AM Edited on ‎02-25-2025 01:08 AM By Moderator

Article Id 193287

Technical Tip: Configure admin certificate authentication

Description

 

This article describes how to configure administrator certificate-based authentication on the FortiGate.

The following certificates are required to configure Admin certificate authentication:

  • User certificate.
  • CA root, signed by the user certificate.

 

Scope

 

FortiGate.


Solution

 

To configure Admin certificate-based authentication, follow the steps below:

On the FortiGate:

 

  1. Enable the 'Certificate Feature' if not enabled (Go to System -> Feature Select).

  2. Import the CA certificate under external CA Certificates (Go to System -> Certificates -> Import -> CA Certificate).
    Once imported, the certificate is shown as CA_Cert_1 (if a second CA certificate is imported then is shown as CA_Cert_2, etc.).

  3. Create a PKI user:

    config user peer
        edit pki-admin
            set ca CA_Cert_1
    end

  4. Add the PKI user to a firewall group:

    config user group
        edit PKI-group
            set member pki-admin
    end

  5. Create an admin user, enable peer authentication, and select the created group:

 

config system admin

    edit admin-username
        set peer-auth enable
        set accprofile super_admin
        set peer-group PKI-group
end

 

On the user's PC:

Import the user certificate which must be signed by the CA_Cert_1, on the web browser. Verify that the certificate is in the 'Personal Store'.

Results:

When accessing the FortiGate web GUI, the browser will present the user to select the user certificate to authenticate:
 
login.PNG
 
Troubleshooting:
Debugging the 'fnbamd' application on the FortiGate is observed that the certificate provided by the user is checked against the CA imported on the FortiGate:
 
FGT-5_4 # di de application fnbamd -1

FGT-5_4 # di de en
FGT-5_4 # [2197] handle_req-Rcvd auth_cert req id=1168321813
[1440] check_cert-Certificate chain depth 0, max chain depth 8
[1445] check_cert-Subject name 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1446] check_cert-Issuer name 'C = US, ST = Florida, L = Sunrise, O = Fortinet, OU = Fortinet-TAC, CN = CA-root, emailAddress = email@email.com'
[1376] chain_verify-Trusted CA found: CA_Cert_1
[1922] fnbamd_auth_cert_start-Cert subject 'C = US, ST = Florida, O = Fortinet, OU = Fortinet-TAC, CN = user, emailAddress = email@email.com'
[1765] cert_check_group_list-checking group type 1 group name 'PKI-group'
[1658] check_add_peer-check peer user 'pki-admin' in group 'PKI-group', result is 0
[1783] cert_check_group_list-Matched group 'PKI-group'
[180] fnbamd_comm_send_result-Sending result 0 (error 0) for req 1168321813

FGT-5_4 # get system admin list
username   local    device                         vdom     profile      remote                 started    
admin      ssh      port9:10.10.10.20:22           root     super_admin  192.168.200.100:51326  2016-12-19 12:50:13
admin-username https    port9:10.10.10.20:443          root     super_admin  192.168.200.100:51740  2016-12-19 13:02:59

 

Related document: 

Administrative access using certificates

9116
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.