Hello
I have to configure an Ipsec VPN with a client with certificate authentication mode.
We have a Fortigate FW and on the client side we do not know the FW model.
I have some doubts about the certificates to use, see if you can help me on this.
We don't currently have a pki in the company
1. Is it advisable to use the external CA of the domain for this or is it better to use the FortiGate?
2. The client asks me for a CSR certificate, can I generate this certificate with Fortigate, is the resulting certificate the one I have to add in the "Certificate Name" configuration?
3. Should the customer also send me a CSR for us to sign? If so, can we sign it with Fortigate?
4. In Peer Certifcate CA, which certificate do I have to put, does the client have to send this certificate to me as well?
5. Which certificates do we have to send to the client?
Thanks
Hi @guchinife ,
This will cover mostly all answers of your question:
https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/344213/site-to-site-vpn-with-digital-ce...
Hello.
This document does not clear up any doubts as to which certificates to use.
Could you clarify more about this?
Hi @guchinife,
You can use external or built-in certificate, it doesn't matter. Peer certificate CA is the CA certificate which was used to sign the client's FortiGate certificate. You need to import it to your FortiGate.
Regards,
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.