Dear community, 

i use FortiAuthenticator for 802.1x computer authentication for Windows 10 and Windows 7 Client PCs.

I use a manual routine to setup the certificates for the devices without any user interaction or portal.

1. create a user (with fqdn of the device)

2. create a certificate issued by a LocalCA running on the FAC

3. export the Certificate and Key and copy it on the PC 

4. import the the certificate including the CA certificate to computer certificate store

5. enable Wired Autoconnect Service at the Windows PC

6. enable 802.1x computer authentication on the Network Adapter of the PC

The issue im facing is that the windows 7 PC do not have the the button for the CA Issuer Selection. Which is available in Windows 10 and works good enough for me. At Windows7 and without the CA Selection option the PCs send me the wrong certificates and the authentication fails or the FAC receives certificates  of an unknown CA and fails.

I also tried to setup a GPO in the AD with gave me the option to Select the Issuer CA for the 802.1x certificate but its not working under Windows 7. Also tried to export the network profile from a Windows 10 which has this fixating for the CA in it and imported it successful to the Windows 7 PC. But the 802.1x authentication still sends the wrong certificates to the FAC and not applying the imported configuration completely or does not use the parameters for the CA selection and the authentication fails

Does someone has a working solution where a Windows 7 PC sends certificates only of a specific CA. Or can explain me how to configure the FAC so its only uses specific certificates for the authentication and ignores the others CA certificates.

kind regards and cheers, Daniel