FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197444


This article explains why PKI peer user creation for certificate authentication is needed.
In some cases, when SSL VPN or IPSec VPN is configured with certificate authentication, it may fail even when a proper user certificate is used at the client end while connecting.





This issue might occur if the PKI user created for SSL VPN or IPSec VPN is not matching the incoming user certificate from client end.

The only parameter which FortiGate verifies, to match a user certificate with a PKI user created on FortiGate, is the ‘subject’ name.
This subject name must be the one mentioned on user certificate’s subject (CN = name).

If CN name mentioned on client certificate and PKI user entry on FortiGate mismatches, then Certificate authentication will fail.

To create PKI users, use below CLI commands.


config user peer
  edit pki01
    set ca CA_Cert_1       
    set subject "CN = name"   <----- Replace 'name' with the name in the CN field.


In the above PKI user entry, ‘User01’ is the subject (CN = name) on the user certificate and ‘CA_Cert_1‘ is the CA certificate name.

Related articles:

Technical Note: Using Certificates to authenticate users in SSL VPN

Technical Note: How to configure IPsec dialup VPN with certificate based authentication