Troubleshooting Tip: Unable to connect via SSL VPN when Require Client Certificate is enabled

Shashwati · ‎01-24-2024

Description

This article describes that it is not possible to connect via SSL VPN when a Require Client Certificate is enabled.

Scope

FortiGate v6.X and v7.X.

Solution

After enabling Require Client Certificate for SSL VPN settings:

Verify that the User CA certificate is installed on the Firewall. It will be used to authenticate the SSL VPN user's certificate. Go to System -> Certificates -> Select Import -> CA Certificate and select the certificate file.

The CA certificate now appears in the list of Remote CA Certificates. In this example, it is called CA_Cert_1.

A user certificate must be installed on the user’s PC. When the user tries to authenticate, the user certificate is checked against the CA certificate to verify that they match.

Note:

For an SSL VPN setup that requires a client certificate, the user will need to import a client certificate issued by a well-known Certificate Authority (CA) onto the user's machine. The default FortiGate built-in certificates cannot be used as a client certificate. FortiGate does not generate client certificates directly. However, it can import and utilize certificates generated by external tools such as OpenSSL.

Related document:

SSL VPN with certificate authentication

Troubleshooting Tip: Unable to connect via SSL VPN when Require Client Certificate is enabled

You are leaving our website