FortiToken
FortiToken Mobile is an application for iOS or Android that acts like a hardware token but utilizes hardware the majority of users possess, a mobile phone.
jmacdonaldplante
Description
How to use FortiToken PKI Manager with Active Directory to sign and load user certificates onto a FortiToken 300 (a hardened USB key for containing Private Keys and Public Certificates).

The steps covered include:
  • setup an Enrollment Agent in Windows Active Directory Certificate Services
  • setup the SmartCard Certificate Template
  • use the Agent with the template to sign User Certificates
  • import the user certifcates onto a FortiToken 300

Solution
Requirements
  • Windows Active Directory Certificate Services
  • FortiToken PKI Manager (FTK300_Setup_V1.2..exe at https://support.fortinet.com)
  • Access to either the CA Directly or from an enrollment machine
Installing FortiToken PKI Manager
The FortiToken PKI Manager will need to be installed on the CA Server for the “FEITIAN CSP For Fortinet V1.0” to be present on the server as an applicable CSP. This CSP is only for 2003 Certificate Templates and does not work on later version templates. (The PKI Manager may also be installed on an Enrollment Machine to facilitate Certificate Management)
  1. On the Server, download and run TFK300_Setup_V1.2..exe from https://support.fortinet.com
  2. After the install, attempt to run “FortiToken PKI Manager” and confirm it can see your FortiToken-300 when connected directly or shared over RDP
Setting up the Enrollment Agent
To facilitate and secure the issuance of User Certificates to SmartCards, an Enrollment Agent should be used. The Enrollment Agent will ensure that only one user account has permissions to enroll in the SmartCard Certificate as well as make it easier and faster as it will allow the user to Enroll Certificates on Behalf of other users. In this document, the Enrollment Agent will be referred to as scuser.
This part has two major steps, creating the Enrollment Agent template as well as Enrolling the user with the template.
  1. Connect to the Active Directory Certificate Services server and open Certification Authority. Right-click Certificate Templates and select Manage.
  2. In the Certificate Templates Console, locate Enrollment Agent. Right-click this entry and select “Duplicate Template”.
  3. Ensure that Compatibility settings are set to Windows Server 2003 for both Certification Authority and Certificate Recipient
  4. Under General, give the template a name to identify it as (In this example it’ll be referred to as “SC Enrollment Fortinet”). You can also modify the Validity Period so the Certificate is valid longer or shorter if desired.
  5. Under Security, ensure that scuser has permissions to Read, Write, Enroll and Auto-enroll and then save and close the Template.
  6. Close the Certificate Templates Console for now and then right-click “Certificate Templates” in Certification Authority and select New > Certificate Template to Issue. Select the new Template that was just created and click OK.
  7. Create a User in Active Directory Users and Computers with basic privileges (NOTE: If the CA will be used directly for enrolling Certificates, ensure that scuser is given permission to login interactively on the server)
  8. Open MMC as scuser from the Enrollment Machine or Server. Select File > Add/Remove Snap-ins. Select and Add Certificates from the list of available snap-ins. When prompted, be sure to select “My User Account” and then “Finish”. Click “OK” to close the “Add or Remove Snap-ins” console.
  9. Right click on Certificates – Current User > Personal and select All Tasks > Request New Certificate. The Certificate Enrollment Wizard should open.
  10. Select Active Directory Enrollment Policy as the Certificate Enrollment Policy and click Next
  11. In the Certificate Template list, select SC Enrollment and click “Enroll”. If it completes, you now have a user and an Enrollment Certificate so they can act together as an Enrollment Agent.
Setting up the SmartCard Certificate Template
While it is possible to use the built-in SmartCard Logon Certificate, it defaults to a Microsoft CSP and will need to be manually changed to “FEITIAN CSP For Fortinet V1.0” each time a new batch of Certificates are needed. Creating a duplicate template will eliminate this need as we can hard set in the template which CSP to use. NOTE: The CSP “FEITIAN CSP For Fortinet V1.0” will not appear in the list unless FortiToken PKI Manager is installed on the Active Directory Certificate Services server.
  1. Connect to the Active Directory Certificate Services server and open Certification Authority. Right-click Certificate Templates and select Manage.
  2. In the Certificate Templates Console, locate SmartCard Logon. Right-click this entry and select “Duplicate Template”.
  3. Ensure that Compatibility settings are set to Windows Server 2003 for both Certification Authority and Certificate Recipient
  4. Under General, give the template a name to identify it as (In this example it’ll be referred to as “Fortinet SC Logon”). You can also modify the Validity Period so the Certificate is valid longer or shorter if desired.
  5. Under Request Handling, edit the CSPs and set requests to use only “FEITIAN CSP for Fortinet V1.0”
  6. Under Issuance Requirements, set “This Number of Authorized Signatures” to 1 and Enabled. Leave Policy Type as “Application Policy” and change Application Policy to Certificate Request Agent.
  7. Under Security, ensure that scuser has permissions to Read, Write, Enroll and Autoenroll and then save and close the Template.
  8. Close the Certificate Templates Console for now and then right-click “Certificate Templates” in Certification Authority and select New > Certificate Template to Issue. Select the new Template that was just created and click OK.
Using Enrollment Agent to issue Certificates for SmartCards
This last step is for using the newly created Enrollment Agent on the server or a designated Enrollment Machine to request and sign Certificates directly onto the FortiToken-300
  1. Open MMC as scuser from the Enrollment Machine or Server. Select File > Add/Remove Snap-ins. Select and Add Certificates from the list of available snap-ins. When prompted, be sure to select “My User Account” and then “Finish”. Click “OK” to close the “Add or Remove Snap-ins” console.
  2. Navigate to Certificates – Current User > Personal > Certificates and click Action > All Tasks > Advanced Operations > Enroll on Behalf of… This will start the Certificate Enrollment Wizard.
  3. Select Active Directory Enrollment Policy as the Certificate Enrollment Policy and click Next
  4. Select “Browse” and choose the Certificate that was generated for scuser as an Enrollment Agent, click Next
  5. Locate Fortinet SC Logon in this list, select it and click Next
  6. Select “Browse” and find the user for which the current request is for and click Enroll
  7. Follow the prompt to connect the SmartCard  and the enrollment process should continue.
  8. When prompted enter your PIN and then wait for the process to complete. The FTK-Admin agent in the task tray should launch and indicate when it completes copying over the Certificate and Private Key
  9. When completed, the Wizard will prompt to proceed with the next user or close. If more users need Certificates on their FortiTokens, select “Next User” and you’ll be brought back to the User Selection part of the Wizard (Step 6). 
  10. Repeat Steps 6-9 until all users have their Certificates on their respective SmartCards

Contributors