|
Mutual Transport Layer Security (mTLS) certificate authentication is used as a method of securing access to an internal Web server.
This ensures that the Remote user identity is reviewed and authorized to access the Web Server.
A configuration Guide can be found in this Administration Guide article.
Understanding the flow of authentication:
- The Remote User presents the Client Certificate to FortiGate.
- FortiGate makes sure that the Client Certificate has been signed by the CA Certificate present on the FortiGate.
- Authentication is processed and FortiGate returns the webpage secured with the Server Certificate.
Requirements:
- CA certificate that signs user certificates.
- Client Certificate signed by the CA.
- Server Certificate signed by the CA.
OpenSSL or Certificate Authority tool for Windows Server can be used to create the required certificates.
OpenSSL certificate creation is explained in this article.
Troubleshooting:
As a first step toward troubleshooting, the following debug can be used on the FortiGate CLI.
It is important to run the debug commands while attempting connection from the remote user browser.
diagnose wad debug enable category all
diagnose wad debug enable level verbose
diagnose debug enable
Debug error #1:
[I][p:6574][s:222672] wad_vs_ssl_port_caps_on_clt_certs :12914 1:mTLS: empty client cert! action: Block
[I][p:6574][s:222672] __wad_log_etl :259 size:321 buf:0xc35a8e1
[I][p:6574][s:222672] wad_vs_log_empty_clt_cert :71 1:mTLS: Traffic denied because of empty client certificate
[V][p:6574][s:222672] wad_vs_ssl_port_caps_on_handshake_recv:10386 sp=0x7f644a1e1048/10 recv type=20 len=36
[I][p:6574][s:222672] wad_vs_ssl_port_caps_c2p_on_handshake_done:11080 wsp 0x7f644a1e1048 type 10 handshake done
[I][p:6574][s:222672] wad_vs_ssl_port_caps_c2p_on_handshake_done:11083 1:mTLS: didn't receive the client cert! action=Block
The Client Browser will show the following message:
In this Scenario, FortiGate did not receive the Client Certificate from the remote User browser.
Solution:
The browser requires the Client Certificate to be installed in the Certificate Store.
Even though the Certificate has been installed on the machine Certificate Store, the browser requires the certificate to be installed directly as shown below.
Go to Google Chrome Settings -> Privacy and Security -> Security -> Manage Certificates.
Under Personal, select Import and install the Client Certificate.
Once the Client Certificate has been imported, clear the Browser Cache, relaunch the Browser, and try accessing the website again.
Note:
It is recommended to use the PKCS12 (.p12) certificate format for client certificate import.
The browser will create a prompt window to choose the Client Certificate.
If the Certificate prompt is still not showing, restart the WAD process on the FortiGate with the following command.
Important note: It is recommended to restart WAD in a maintenance window to not affect user traffic.
fnsysctl killall wad
Clear the cache, relaunch Chrome, and try accessing the website again.
Debug error #2:
[I]2024-07-09 18:02:28.865125 [p:366][s:79503317] wad_ssl_validate_cert_by_ca_store :3450 Failed to verify the cert!(20)
[W]2024-07-09 18:02:28.865129 [p:366][s:79503317] wad_vs_ssl_access_proxy_on_clt_certs: Cert auth failed. status=9
[I]2024-07-09 18:02:28.865519 [p:366][s:79503317] wad_vs_log_clt_cert_failure :fail-reason:unable to get local issuer certificate
Solution:
Make sure the CA certificate is installed on the FortiGate.
If the CA is already present, check if any Intermediate Certificate is present in the Certificate Chain.
If an Intermediate Certificate is present in the chain, It has to be installed on the FortiGate as well.
|
