DescriptionHow to use FortiToken PKI Manager with Active Directory to sign and
load user certificates onto a FortiToken 300 (a hardened USB key
for containing Private Keys and Public Certificates).
The steps covered include:
- setup an Enrollment Agent in Windows Active Directory
Certificate Services
- setup the SmartCard Certificate Template
- use the Agent with the template to sign User Certificates
- import the user certifcates onto a FortiToken 300
Solution
Requirements
- Windows Active Directory
Certificate Services
- FortiToken PKI Manager
(FTK300_Setup_V1.2..exe at https://support.fortinet.com)
- Access to either the CA
Directly or from an enrollment machine
Installing FortiToken PKI Manager
The
FortiToken PKI Manager will need to be installed on the CA Server
for the “FEITIAN CSP For Fortinet V1.0” to be present on the server
as an applicable CSP. This CSP is only for 2003 Certificate
Templates and does not work on later version templates. (The PKI
Manager may also be installed on an Enrollment Machine to
facilitate Certificate Management)
- On the Server, download and
run TFK300_Setup_V1.2..exe from https://support.fortinet.com
- After the install, attempt to
run “FortiToken PKI Manager” and confirm it can see your
FortiToken-300 when connected directly or shared over
RDP
Setting up the Enrollment Agent
To facilitate
and secure the issuance of User Certificates to SmartCards, an
Enrollment Agent should be used. The Enrollment Agent will ensure
that only one user account has permissions to enroll in the
SmartCard Certificate as well as make it easier and faster as it will
allow the user to Enroll Certificates on Behalf of other users. In
this document, the Enrollment Agent will be referred to as
scuser.
This part has
two major steps, creating the Enrollment Agent template as well as
Enrolling the user with the template.
- Connect to the Active
Directory Certificate Services server and open Certification
Authority. Right-click Certificate Templates and select
Manage.
- In the Certificate Templates
Console, locate Enrollment Agent. Right-click this entry and select
“Duplicate Template”.
- Ensure that Compatibility
settings are set to Windows Server 2003 for both Certification
Authority and Certificate Recipient
- Under General, give the
template a name to identify it as (In this example it’ll be
referred to as “SC Enrollment Fortinet”). You can also modify the
Validity Period so the Certificate is valid longer or shorter if
desired.
- Under Security, ensure that
scuser has permissions to Read, Write, Enroll and Auto-enroll and
then save and close the Template.
- Close the Certificate
Templates Console for now and then right-click “Certificate
Templates” in Certification Authority and select New >
Certificate Template to Issue. Select the new Template that was
just created and click OK.
- Create a User in Active
Directory Users and Computers with basic privileges (NOTE: If the
CA will be used directly for enrolling Certificates, ensure that
scuser is given permission to login interactively on the
server)
- Open MMC as scuser from the
Enrollment Machine or Server. Select File > Add/Remove Snap-ins.
Select and Add Certificates from the list of available snap-ins.
When prompted, be sure to select “My User Account” and then
“Finish”. Click “OK” to close the “Add or Remove Snap-ins”
console.
- Right click on Certificates –
Current User > Personal and select All Tasks > Request New
Certificate. The Certificate Enrollment Wizard should
open.
- Select Active Directory
Enrollment Policy as the Certificate Enrollment Policy and click
Next
- In the Certificate Template
list, select SC Enrollment and click “Enroll”. If it completes, you
now have a user and an Enrollment Certificate so they can act
together as an Enrollment Agent.
Setting up the SmartCard Certificate Template
While it is
possible to use the built-in SmartCard Logon Certificate, it
defaults to a Microsoft CSP and will need to be manually changed to
“FEITIAN CSP For Fortinet V1.0” each time a new batch of
Certificates are needed. Creating a duplicate template will
eliminate this need as we can hard set in the template which CSP to
use. NOTE: The CSP “FEITIAN CSP For Fortinet V1.0” will not appear
in the list unless FortiToken PKI Manager is installed on the
Active Directory Certificate Services server.
- Connect to the Active
Directory Certificate Services server and open Certification
Authority. Right-click Certificate Templates and select
Manage.
- In the Certificate Templates
Console, locate SmartCard Logon. Right-click this entry and select
“Duplicate Template”.
- Ensure that Compatibility
settings are set to Windows Server 2003 for both Certification
Authority and Certificate Recipient
- Under General, give the
template a name to identify it as (In this example it’ll be
referred to as “Fortinet SC Logon”). You can also modify the
Validity Period so the Certificate is valid longer or shorter if
desired.
- Under Request Handling, edit
the CSPs and set requests to use only “FEITIAN CSP for Fortinet
V1.0”
- Under Issuance Requirements,
set “This Number of Authorized Signatures” to 1 and Enabled. Leave
Policy Type as “Application Policy” and change Application Policy
to Certificate Request Agent.
- Under Security, ensure that
scuser has permissions to Read, Write, Enroll and Autoenroll and
then save and close the Template.
- Close the Certificate
Templates Console for now and then right-click “Certificate
Templates” in Certification Authority and select New >
Certificate Template to Issue. Select the new Template that was
just created and click OK.
Using Enrollment Agent to issue Certificates for
SmartCards
This last
step is for using the newly created Enrollment Agent on the server
or a designated Enrollment Machine to request and sign Certificates
directly onto the FortiToken-300
- Open MMC as scuser from the
Enrollment Machine or Server. Select File > Add/Remove Snap-ins.
Select and Add Certificates from the list of available snap-ins.
When prompted, be sure to select “My User Account” and then
“Finish”. Click “OK” to close the “Add or Remove Snap-ins”
console.
- Navigate to Certificates –
Current User > Personal > Certificates and click Action >
All Tasks > Advanced Operations > Enroll on Behalf of… This
will start the Certificate Enrollment Wizard.
- Select Active Directory
Enrollment Policy as the Certificate Enrollment Policy and click
Next
- Select “Browse” and choose the
Certificate that was generated for scuser as an Enrollment Agent,
click Next
- Locate Fortinet SC Logon in
this list, select it and click Next
- Select “Browse” and find the
user for which the current request is for and click
Enroll
- Follow the prompt to
connect the SmartCard and the enrollment process should
continue.
- When prompted enter your PIN
and then wait for the process to complete. The FTK-Admin agent in
the task tray should launch and indicate when it completes copying
over the Certificate and Private Key
- When completed, the Wizard
will prompt to proceed with the next user or close. If more users
need Certificates on their FortiTokens, select “Next User” and
you’ll be brought back to the User Selection part of the Wizard
(Step 6).
- Repeat Steps 6-9 until all
users have their Certificates on their respective
SmartCards