Created on
‎11-21-2024
10:13 AM
Edited on
‎12-28-2024
10:54 PM
By
Anthony_E
| Description |
This article describes the various use cases that PKI certificates are used for in the FortiGate, how to enable the certificates for specific features with examples, and the priority order in which the certificate configurations are applied - which would be helpful for troubleshooting certificate related issues. |
| Scope | FortiGate, PKI. |
| Solution |
Several security use cases require use of PKI certificates, and can be configured in the FortiGate under corresponding features. The type and order of these configurations will dictate how the certificates are used by the individual features, hence it is important to understand the various locations where certificate mappings can be configured in the FortiGate, and the priority in which the certificates are chosen for authentication/inspection etc. This would also be useful when troubleshooting issues wherein the intended certificate does not seem to be used for a particular feature, to analyze what other config could be overriding the certificate mappings and how to fix the issue.
Two main categories of use cases can be considered for the purposes of this article, namely 'VPN use cases' which deals with using certificates for VPN authentications (IPSec and SSL), and the other 'Non-VPN use cases' which deal with various other use cases like captive portal authentication, Firewall policy - SSL inspection, webfilter authentication, etc which are described with examples in the next section.
1. VPN use cases.
This section covers the certificate mappings for basic VPN use cases namely the IPSec VPN and SSL VPN authentications.
1.1. IPSec VPN with certificate authentication.
The 'set certificate' setting in the IPSec interface maps the certificate to be used by this FortiGate to authenticate itself to the VPN peer during the IPSec VPN session setup.
config vpn ipsec phase1-interface . . . set peer "PKI-S2S_peer" <--- Accept certificates from peer if it is signed by this CA certificate.
1.2 SSL VPN Remote access.
The 'set servercert' setting in the global VPN SSL settings maps the certificate to be used as server certificate by FortiGate for the SSL VPN setup with the Remote access SSL VPN client.
config vpn ssl settings set servercert "ACME-FGT-SSL-Server-certificate" <----This is the server certificate that will be used for SSL VPN connections from clients.
2. Non-VPN use cases.
This section covers the various authentication use cases where the type and order of the configurations becomes important to ensure the intended certificate is used for the corresponding feature. Before we get to each of these use cases, it is necessary to understand the difference between the auth-ca-cert and auth-cert setting in the 'config user setting' where the global user authentication settings are configured.
auth-ca-cert vs auth-cert:
config user setting set auth-cert "ACME-Cert" <--- This certificate will be used as a server certificate for non-signing server sessions end
When auth-ca-cert is enabled on the FortiGate, all server certificates will be re-signed by this CA (even when auth-cert with a different cert is configured). So if the requirement is to use just one common CA cert for all authentication use cases, then enable auth-ca-cert globally under "config user setting" as a simple solution. It will override any other auth-cert config in the FortiGate and has the top priority when it comes to what server certificate to present to end users. If auth-ca-cert is not configured, then the following settings are taken into consideration while choosing the certificate with a descending priority order: 1. Captive portal interface auth cert. 2. Firewall policy auth cert. 3. Webfilter authenticate 4. User setting auth cert. 5. System global auth cert. 6. web-proxy global.
In the next section, the above use cases are discussed with examples.
2.1 Captive portal interface authentication.
Captive portal can be configured on any network interface - physical, VLAN or Wi-Fi interfaces, by enabling security-mode to 'captive portal'. The configuration 'set auth-cert' is used to define which certificate is to be used for captive portal authentication page that is displayed to the user.
config system interface edit "VLAN-60-Guest" set description "Guest Wifi" ... next end
2.2 Firewall policy.
When SSL inspection is enabled for a Firewall policy, the CA certificate to be used for the deep/certificate inspection is defined under the corresponding security profile, as shown in the example below:
FortiGate $ show firewall policy config firewall policy edit 11 . . . set ssl-ssh-profile "custom-deep-inspection" next end FortiGate $ show firewall ssl-ssh-profile config firewall ssl-ssh-profile edit "custom-deep-inspection" . . . set caname "ACME-SubCA-For-SSL-Inspection" <--- This is the CA certificate used for SSL inspection for the corresponding firewall policy. end
2.3 Webfilter authentication.
One of the possible actions for category based web filter is 'Authenticate', wherein the user is prompted for credentials to access specific categories. The authentication page shown for this use case will need a certificate, which is the one from the corresponding SSL inspection security profile (associated with this firewall policy) if it is enabled, and if it is not - then it will use the certificate defined in the web-proxy global settings (described in section 1.6) below.
config webfilter profile edit "AKME-webfilter-1" set feature-set proxy config ftgd-wf config filters edit 35 set category 37 set action authenticate <----- Enables authentication requirement for the user when accessing this category set auth-usr-grp "Local-accounts" <---- User groups that are allowed to authenticate for this category end
2.4 User settings.
Most of the user authentication settings are available for configuration under the 'config user setting'. The main settings relevant to this article are the auth-cert and auth-ca-cert, which were discussed earlier in the article.
FortiGate $ show user setting config user setting set auth-cert "AKME-cert" <--- This is the certificate used for authentication login page shown to users, if auth-ca-cert is not configured. set auth-ca-cert "AKME-CA-cert" <--- If auth-ca-cert is configured, it takes priority over all other cert configs in the FortiGate. set auth-secure-http enable end
To enable authentication for users when connecting to the network through FortiGate, enable 'set groups' or 'set users' under the firewall policy as shown in the example below. This will trigger an authentication redirection to a browser when a user tries to connect to the network. The certificate that will be used for this authentication page is the 'auth-ca-cert' (or 'auth-cert' if the former is not configured) setting defined in 'config user setting'.
config firewall policy edit 11 set users "internal-user-1" <--- Enables user authentication individually per user, list the names of individual users that can authenticate with this policy. end
2.5 System global settings.
The certificate that is used by FortiGate for HTTPS connections to it's local interface (like GUI access for management) is controlled by 'set admin-server-cert' under 'config system global'. The auth-cert setting here is used for user authentication (described in section 1.4) - if there is no auth-cert configured in 'config user settings'.
FortiGate $ show sys global config system global . . .
2.6 Web-proxy global settings.
The 'ssl-ca-cert' in the web-proxy global settings is the fallback certificate used if SSL inspection or auth certificates are not configured in any of the previous settings.
config web-proxy global set ssl-ca-cert "Fortinet_CA_SSL" <--- This is the SSL signing certificate used as a fallback option if no other certificate mapping is configured end
Related documents: FortiGate - PKI Certificate management Administration guide FortiGate - Technical Tip: Certificate error when accessing blocked page FortiGate - config user setting detailed CLI reference |
