PKI user is a common authentication scheme for SSLVPN and Remote Access IPSEC configuration where a user authentication requires a certificate and a root certificate to be installed on the client machine.

This method of trust between FortiGate as the VPN server and the connection FortiClients requires as well a CA certificate imported to FortiGate. The following article provides an example of such deployment: Technical Tip: SSL VPN PKI user based authentication with FortiAutheticator as Local CA authority.

2 main choices can be decided on certificate issuance:

1. Certificate issued for the domain name, for example, domain.fortinet.test
2. Certificate issued for a specific user where the subject line of the certificate is the user account or email as illustrated in the following image:

The difference is in the case of domain-specific certificates, users are prompted to enter credentials before they can log in to the VPN while in the case of a user-specific issued certificate,e the user login does not require credentials. In the case of SSLVPN configuration, FortiOS has the option to require a client certificate as explained in the following document: SSL VPN with certificate authentication

Another difference is certificate management: issuing and renewing a certificate for each user is a heavier load on the administrator vs only requiring to issue a single certificate for the entire domain.