| Description | This article provides the difference in PKI user login when a certificate is issued with a subject line carrying username/account vs a certificate issued only for the FQDN. This article assumes no Multi-Factory Authentication MFA that requires the user to enter credentials in addition to using certificate user Authentication. |
| Scope | FortiGate, FortiClient. |
| Solution |
PKI user is a common authentication scheme for SSLVPN and Remote Access IPSEC configuration where a user authentication requires a certificate and a root certificate to be installed on the client machine.
This method of trust between FortiGate as the VPN server and the connection FortiClients requires as well a CA certificate imported to FortiGate. The following article provides an example of such deployment: Technical Tip: SSL VPN PKI user based authentication with FortiAutheticator as Local CA authority.
2 main choices can be decided on certificate issuance:
The difference is in the case of domain-specific certificates, users are prompted to enter credentials before they can log in to the VPN while in the case of a user-specific issued certificate,e the user login does not require credentials. In the case of SSLVPN configuration, FortiOS has the option to require a client certificate as explained in the following document: SSL VPN with certificate authentication
Another difference is certificate management: issuing and renewing a certificate for each user is a heavier load on the administrator vs only requiring to issue a single certificate for the entire domain. |
