Description
This article explains why PKI peer user creation for certificate authentication is needed.
In some cases, when SSL VPN or IPSec VPN is configured with certificate authentication, it may fail even when a proper user certificate is used at the client end while connecting.
Scope
FortiGate.
Solution
This issue might occur if the PKI user created for SSL VPN or IPSec VPN does not match the incoming user certificate from the client end.
The only parameter which FortiGate verifies, to match a user certificate with a PKI user created on FortiGate, is the ‘subject’ name. This subject name must be the one mentioned on user certificate’s subject (CN = name). If the CN name mentioned on the client certificate and PKI user entry on FortiGate mismatches, then Certificate authentication will fail.
To create PKI users and usergroup, use below CLI commands.
config user peer
edit pki01
set ca CA_Cert_1
set subject "CN = name" <----- Replace 'name' with the name in the CN field.
end
In the above PKI user entry, ‘User01’ is the subject (CN = name) on the user certificate, and ‘CA_Cert_1‘ is the CA certificate name.
To add PKI users to a user group, use the following CLI commands.
config user peergrp
edit pki-users
set member "pki01"
end
Note : While IPsec dial-up tunnels depend on the IKE daemon, which demands a precise CN match from the peer certificate, SSL VPN certificate matching uses the vpn.certificate settings (subject-match / cn-match) via the FNBAMD daemon.
config vpn certificate setting
set cn-match [substring|value]
set subject-match [substring|value]
end
Related articles:
Technical Tip: Unable to connect to SSL VPN due to 'Certificate check error failed'
Technical Note: Using Certificates to authenticate users in SSL VPN
Technical Note: How to configure IPsec dialup VPN with certificate based authentication
