Greetings all,
I'm having an issue which I get the sense will be a simple fix but I'm at a bit of a loss. I'm trying to add a certificate to iOS to use for connecting to a fortigate vpn. I have no trouble getting the certificate onto the iphone and forticlient detecting it, but its asking for a passphrase.
I generated a certificate key pair via Easy-RSA and was able to upload them to the Fortigate without issue. The private key has a password so I was able to enter that into Fortigate without issue. But on the iphone, my understanding is its just the one file, and it needs to be the certificate, which does not have a password. But the app will not let it be used without a password, and leaving it blank returns incorrect passphrase.
What am I doing wrong? I'd appreciate any help. Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Correct, setup a CA, made the certificate key pairs, signed, etc.
I noted that I already had the certificates in the original post.
I figured it out last night - they couldn't be .key and .crt files. Even renaming them as someone instructed another poster was not sufficient. They had to be exported as .p12 files, which combines the private key and certificate, and is password protected.
Thanks for trying to assist though! I appreciate it.
Hello
Can you add a screenshot?
This message pops up after I select the file and when I try to save the configuration.
I suspect you are trying to add the certificate on the filed that is used for user certificate based authentication. If you are trying to configure username/password authentication only, no client certificate is needed. As long as the device has the the certificate trusted in its store the authentication will succeed.
That is correct, and is my intention. I don't want to rely on just username/pw or even 2fa.
In that case you need to create dedicated certificates (+ private key) and apply for each user that will use the VPN. Details are explained here: https://docs.fortinet.com/document/forticlient/7.0.0/ios-administration-guide/428118/ssl-vpn
Correct, setup a CA, made the certificate key pairs, signed, etc.
I noted that I already had the certificates in the original post.
I figured it out last night - they couldn't be .key and .crt files. Even renaming them as someone instructed another poster was not sufficient. They had to be exported as .p12 files, which combines the private key and certificate, and is password protected.
Thanks for trying to assist though! I appreciate it.
As this was the top Google result:
Should you generate the p12 user certificate with openssl 3+ -> IOS requires the use of the -legacy flag when generating it. Otherwise the Fortigate client will give you the bad / wrong passphrase error.
openssl pkcs12 -export -legacy -out ${user}.p12 -inkey ${user}.key -in ${user}.crt -certfile ca.crt -passout env:P12_PASS
If you export / rename the file with the fctp12 extension like -out ${user}.fctp12 you can import it directly from a mail client into the ios version of fortigate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.