Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ddskier
Contributor

SSL VPN Client - Require Client Certificate

I' m very frustrated with the SSL VPN " Require Client Certificate" functionality. Fortinet' s documentation isn' t the best on this issue. Support is also taking their sweet time giving me answers that don' t keep refering back to documentation. I' m running 4.0 MR1 - Patch 4. I have purchased a GoDaddy SSL certificate. Installed it on the Fortinet Unit and also installed GoDaddy' s " CA Certificate" on the unit itself. (Per Fortinet Documentation) I went ahead an install the SSL certificate on the client machine under the " Other People" and " Personal" certificate containers. However, no matter what I do, the fortinet unit will not allow my remote user to authenicate while I have the " Require Client Certificate" check box. What am I missing?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
15 REPLIES 15
Carl_Wallmark
Valued Contributor

Hi, The certificate for SSL VPN is a .p12 certificate, (a personal certificate) [:' (] You need to have that on your clients.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ddskier
Contributor

Ugh. What would you recommend that I use to generate this certificate? Take current x.509 SSL cert and generate a .p12 cert? Use Open SSL? Thoughts?

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D

-DDSkier FCNSA, FCNSP FortiGate 400D, (2) 200D, (12) 100D, (2) 60D
g3rman
New Contributor

Use XCA (https://sourceforge.net/projects/xca/). Graphical frontend for OpenSSL. Works like a champ.
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
A Real World Fortinet Guide Configuration Examples & Frequently Asked Questions http://firewallguru.blogspot.com
Not applicable

Can you please share the steps to create .p12 certificate using XCA? I have also purchased a standard certificate from goDaddy. Your help is appreciated!
nsumner
New Contributor

The question x2cao is what you are trying to accomplish. Requiring a certificate for your end users increases security, but is generally used with a token (IE if you don' t have the token you can' t connect). Just putting it on the laptop doesn' t increase security by a terribly large amount and creates an administrative nightmare.
Not applicable

Thanks for the suggestion, but we are only having limited amount of users to use this. In fact i don' t think it' s that hard to manage it because you can always deploy the cert to the staff through GPO. We just want to achieve higher security without additional costs.
rlord
New Contributor

This is what I did. Installed Windows CA on Enterprise Server. You do not need Enterprise if you want to manually deploy user certificates. Imported the Windows CA Certificate into the Fortigate Then I used a CA template and AD GPO to auto generate client CA’s for each computer. When a user connects the system looks for the certificate trusted by the Windows CA as well as prompts the user for their login. I think your issue is as follows 1) Users or computers need to be issued a certificate 2) Take the CA Certificate for the CA used to deploy certificates to your users and upload this to the Fortigate. Hope that makes sense.
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
Not applicable

Thanks rlord... I have done that but I want to use a well known CA instead of hosting my own certificates. Anyone else on this forum is able to use a well known third party CA ex. Thawte, Verisign, Godaddy etc.
rlord
New Contributor

x2cao, Then you' ll need client certs from the " well known CA" for your users. You have to have a chain of trust for the fortigate to accept the users. it is not like secure web were only the server needs an ssl certificate. In this case both parties need a certificate that has been issued by the same CA chain. At least that is how I understood it.
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
2 x 310B v4.0,build0272,100331 (MR2) HA ( Active Passive )
Labels
Top Kudoed Authors