Requirements:

• A CA certificate that signs user certificates.
• A Client Certificate signed by the CA.
• A Server Certificate signed by the CA.
  
  

This article will use the creation of a self-signed CA, a client certificate signed by the CA, and a server certificate signed by the CA using OpenSSL.

The following templates will be used to create the above in this example. Create 3 text files, add the template for each, and change the extension from .txt to .cnf.

CA Certificate Template (RootCA.cnf).

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

basicConstraints = critical, CA:TRUE, pathlen:3

keyUsage = critical, cRLSign, keyCertSign

nsCertType = sslCA, emailCA

subjectAltName = @AlT_names

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or user's name)

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# extendedKeyUsage=serverAuth

subjectAltName = @AlT_names

[ alt_names ]

DNS.1 = gbt.local

Client Certificate Template (Client.cnf).

[ req ]

default_bits       = 2048

distinguished_name = req_distinguished_name

req_extensions     = v3_req

x509_extensions = v3_req

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or user's name)

[ v3_req ]

subjectKeyIdentifier = hash

basicConstraints     = critical,CA:false

subjectAltName       = DNS:gbt.local,DNS:vpn.gbt.local

keyUsage             = critical,digitalSignature,keyEncipherment

extendedKeyUsage     = clientAuth

Server Certificate Template (Server.cnf).

[ req ]

default_bits       = 2048

distinguished_name = req_distinguished_name

req_extensions     = v3_req

x509_extensions = v3_req

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or user's name)

[ v3_req ]

subjectKeyIdentifier = hash

basicConstraints     = critical,CA:false

subjectAltName       = DNS:gbt.local,DNS:vpn.gbt.local

keyUsage             = critical,digitalSignature,keyEncipherment

extendedKeyUsage     = serverAuth

Create the Certificates.

First, install OpenSSL for windows.
Copy the templates previously created to the OpenSSL folder. Then, open the command line as an administrator and navigate to the OpenSSL folder.
For example: C:\Program Files\OpenSSL-Win64\bin.

Create the CA certificate by running the following commands:

openssl.exe genrsa -aes256 -out ca.key 2048
[ENTER A PASSWORD]

openssl.exe req -new -x509 -extensions v3_ca -days 3650 -key ca.key -sha256 -out ca.pem -config RootCA.cnf
[ENTER THE INFORMATION REQUESTED]

The ca.key file and a CA certificate named ca.pem should now be available:

Create the Client Certificate by running the following commands:

openssl.exe genrsa -out client.key 2048
openssl.exe req -new -key client.key -out client.csr -config client.cnf
openssl.exe x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 1024 -sha256 -extfile client.cnf -extensions v3_req
openssl.exe pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.pem

The files below, and the client.pfx PKCS#12 bundle, should now be available:

Create the Server Certificate by running the following commands:

openssl.exe genrsa -out server.key 2048
openssl.exe req -new -key ca.key -out server.csr -config server.cnf
openssl.exe x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 1024 -sha256 -extfile server.cnf -extensions v3_req
openssl.exe pkcs12 -export -out server.pfx -inkey ca.key -in server.pem -certfile ca.pem

The files below, and the server.pfx PKCS#12 bundle, should now be available:

Import the Server Certificate to the FortiGate.

It is time to import the ca.key, ca.pem and server.pem files into FortiGate.

1. Navigate to System -> Certificate -> Create/Import.
   Select Import Certificate -> Select Type Certificate.
2. Upload server.pem.
3. Upload ca.key.
4. Enter the correct password and select Create.

The Server Certificate should now show under Local Certificate:

Import the CA Certificate to the FortiGate.

Navigate to System -> Certificate -> Create/Import:

Repeat the steps above with ca.pem.

The CA Certificate should now show under Remote CA Certificate:

Import the Client Certificate and the CA to the Windows Client.

Required files: Client.pfx, ca.pem.

Install the Client Certificate on the Client Windows system.
In the Wizard, select Store Location -> Local Machine -> Next.

Import Client.pfx -> Next -> Enter the password previously created on OpenSSL -> Next -> Select Place all certificate in the Following store and Select Personnel -> Next -> Finish.

The Client Certificate should now be available under the Certificate Store:

Install the CA certificate.

First, change the file extension of ca.pem to ca.cer. Open it and select Install Certificate -> Store Location -> Local Machine -> Next -> Select Place all certificate in the Following store -> Select Trusted Root Certification Authorities -> Next -> Finish.

The CA Certificate should now be available under the Certificate Store Trusted Root:

Configure PKI users on the FortiGate.

config user peer

    edit User2

        set ca CA_Cert_1

        set cn Gabriel

end

In this example, the desired outcome is for the FortiGate to look at the CN field in the certificate subject provided by the Client.

Assign PKI user to a group on the FortiGate.

config user peergrp

    edit pki_users

        set member User2

end

Configure the Dial-up IPsec Tunnel.

config vpn ipsec phase1-interface

    edit "Dialup"

        set type dynamic

        set interface "port1"

        set ike-version 2

        set local-gw 10.9.10.62

        set authmethod signature

        set peertype peergrp

        set net-device enable

        set mode-cfg enable

        set proposal aes256-sha512

        set dpd on-idle

        set comments "VPN: Dialup (Created by VPN wizard)"

        set dhgrp 14

        set certificate "server"

        set peergrp "pki_users"

        set ipv4-start-ip 10.10.10.10

        set ipv4-end-ip 10.10.10.20

        set dns-mode auto

        set ipv4-split-include "Dialup_split"

        set save-password enable

        set dpd-retryinterval 60

    next

end

In this example, the settings have been changed to assign the peertype, peergrp, certificate and authmethod to signature.

set authmethod signature
set peertype peergrp
set certificate "server"

set peergrp "pki_users"

Configure FortiClient.

In the FortiClient, select Create a new VPN connection.
Fill in the required information.
Select X.509 Certificate as the Authentication method.
Select the Client Certificate.

Ensure that, under Advanced Settings, the Phase 1 and Phase 2 information match the information configured on the FortiGate.

Save the changes and try to connect using the client Certificate.

Troubleshooting steps.

1. Debug on the FortiGate side to see if traffic is being received.
   Open the CLI and run the following:

diagnose debug application ike -1
diagnose debug application fnbamd -1
diagnose debug enable

2. Download the debug logs from the FortiClient.

Navigate to Settings -> Logging -> Export Logs.

If the error message 'IKE phase1 authentication fail as peer’s certificate is not verified' occurs, ensure the CA certificate was installed under the Trusted Root Certification Authorities.

If the issue persists, contact Fortinet Support for more assistance.
Note that the OpenSSL is not supported or endorsed by Fortinet. In this article it is used to create a certificate with its keypair and the respective keypair must be present for use, subject or certificate details may differ and are freely definable. At the time of writing, there is an open-source OpenSSL frontend, that can be helpful to create certificates, called XCA. It is also not supported by Fortinet.