Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Where to define CA certificate authentication ?

Hi Guys,


I am using 2MFA in SSLVPN & using PKI-Card certificate for 2nd authentication method.


Please help me where to configure the CA certificate which should be used for authentication/checking the user certificate. Do i have to configure PKI user for that ??


Kindly also confirm, Self-signed Server certificate is mandatory for 2MFA to work or fortinet-factory default

certificate is fine ( SSLVPN-> Settings -> server certificate).




Hi Shantilal1998,

If I understand correctly, you are after SSL VPN ldap/radius auth + certificate as 2fa.
You need to configure a pki user indeed, that's where you define the CA.

SSL VPN ldap auth:

PKI user:

Then you'll have to enable PKI as second factor on SSL vpn auth rules:


config vpn ssl settings
config authentication-rule
edit 12
set groups "PKI_USERS"
set portal "full-access"
set realm "pki"
set client-cert enable
set user-peer "user1"

config user peer
edit "user1"
set ca "fortiauth.local.root"
set ldap-server "LDAPS-bogusinc.local"
set ldap-mode principal-name

config user group
edit "PKI_USERS"
set member "LDAPS-bogusinc.local"
config match
edit 1
set server-name "LDAPS-bogusinc.local"
set group-name "CN=Users,CN=Builtin,DC=bogusinc,DC=local"

SSLVPN-> Settings -> server certificate - this better not be Fortinet_Factory.
Use a certificate issued by a CA you/your users can trust (private or public).

You can grab one for free from Let's Encrypt if you're running at least FOS 7.0:

Please mark this as resolved if I answered your question.

New Contributor III



Actually, It was working fine in version FortiOS 7.0.5 & facing issue after upgrading to 7.2.2.


PKI user & server certificate was not configured but users were able to connect. Why ??


So it's broken now after the upgrade.

Are you using FortiClient, free or licensed?

Can you try without FortiClient, over web ssl vpn, same issue?

Please run this debug, it will show what is happening:


diag debug reset
diagnose debug cons time en
diag debug application fnbamd -1
diagnose debug app sslvpn -1
dia vpn ssl debug-filter src-addr4 <PUBLICIPOFTESTCLIENT>
diagnose debug enable

New Contributor III



Forticlient is licensed & web based sslvpn is disabled.


See if you can enable web based sslvpn for a quick test. That would help to know if the issue is with the firewall or forticlient.

Otherwise, please run the debug and see if you can figure it out, maybe share here some event that you find interesting/relevant.

New Contributor III



We have a existing TAC case for the same and executed the commands as you mentioned. But till now there is no resolution.


Any suggestion would be helpful for us from your side.


Is there anything that we can check on the endpoint system.

Top Kudoed Authors