To use certificates for IPSec authentication a FortiGate device requires the following:

1. Its device certificate was issued from FortiAuthenticator.

Certificates can be manually requested by generating a CSR from the FortiGate which is then signed by the FortiAuthenticator, however using SCEP automates this process.

Certificate enrollment using SCEP can be done directly on a Fortigate device:

Technical Tip: FortiGate Certificate enrollment using SCEP

Certificate enrollment using SCEP can be managed via FortiManager:
Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA

     2. The FortiAuthenticator CA certificate.
In FortiAuthenticator navigate to Certificate Management -> Certificate Authorities -> Local CA's, select the appropriate Certificate ID, and select 'Export Certificate'.

The exported certificate can then be imported to the FortiGate device as a CA certificate (System -> Certificates -> Create/Import).

The certificate can also be imported in bulk if managing devices via FortiManager, using a script run against the Device Database, example below:

config vpn certificate ca
    edit "MY_CA_CERT"
        set ca "-----BEGIN CERTIFICATE-----

MIIEFzCCAv+gAwIBAgIIXHL2M/nzy+cwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UE

h00DnkhFZuHp2SwKIEH8FbQ77d2iWEJM8qxpFEP31BB+MsfrgkCHCkcbA==

    -----END CERTIFICATE-----"
    next
end

3. Confirm OSCP is enabled on the FortiAuthenticator interface
   
   

FortiAuthenticator GUI -> Network -> Interfaces -> Select the desired Interface -> Enable OCSP on the interface (port 2560).

4. VPN Tunnel is configured to use its certificate to authenticate itself and the CA certificate to authenticate its peer(s).

Example Configuration:

config user peer
    edit "MY_CA_PEER"
        set ca "MY_CA_CERT"                    <----- CA cert imported in step 2.
    next
end

config vpn ipsec phase1-interface
    edit "vpn1"
        set interface "port1"
        set authmethod signature
        set net-device disable
        set proposal aes256-sha256
        set remote-gw 192.168.0.1
        set certificate "MY_DEVICE_CERT"          <----- Device cert installed in step 1.
        set peer "MY_CA_PEER"
    next
end

config vpn ipsec phase2-interface
    edit "vpn1"
        set phase1name "vpn1"
        set proposal aes256-sha256
    next
end

Note:

Appropriate firewall policies and routing must be configured in addition to the above.

5. Certificate revocation checking is configured to ensure peers with revoked certificates are not authenticated.

    

This example uses OCSP, which sends on-demand requests to the OCSP server (FortiAuthenticator) to confirm a certificate's validity.

config vpn certificate ocsp-server
    edit "MY_OCSP_SRV"
        set url "http://192.168.0.254:2560"          <- FortiAuthenticator IP address.
        set cert "MY_CA_CERT"                            <- CA cert imported in step 2.
    next
end

config user peer
    edit "MY_CA_PEER"                             <- Peer configured in step 4.
        set ocsp-override-server "MY_OCSP_SRV"
    next
end

config vpn certificate setting
    set ocsp-status enable
end

Notes:

Any attempt to connect to a peer that has a revoked certificate should fail, with an 'IPsec phase 1 error' entered into the VPN event log, with reason = 'invalid certificate'.

Running a debug should also confirm this:

diagnose debug application fnbamd -1

diagnose debug enable

Example output, showing the certificate status:

fnbamd_verify_ocsp_response-Cert status: REVOKED, reason=4(superseded)

Related documents:

Cookbook: FortiAuthenticator as a certificate authority

Technical Note: How to generate a CSR from FortiGate

Technical Note: How to sign a CSR on FortiAuthenticator