Description

This article explains why PKI peer user creation for certificate authentication is needed.
In some cases, when SSL VPN or IPSec VPN is configured with certificate authentication, it may fail even when a proper user certificate is used at the client end while connecting.

Scope

FortiGate.

Solution

This issue might occur if the PKI user created for SSL VPN or IPSec VPN does not match the incoming user certificate from the client end.

The only parameter which FortiGate verifies, to match a user certificate with a PKI user created on FortiGate, is the ‘subject’ name. This subject name must be the one mentioned on user certificate’s subject (CN = name). If the CN name mentioned on the client certificate and PKI user entry on FortiGate mismatches, then Certificate authentication will fail.

To create PKI users and usergroup, use below CLI commands.

config user peer
  edit pki01
    set ca CA_Cert_1       
    set subject "CN = name"   <----- Replace 'name' with the name in the CN field.
end

In the above PKI user entry, ‘User01’ is the subject (CN = name) on the user certificate and ‘CA_Cert_1‘ is the CA certificate name.

To add PKI users to a user group, use below CLI commands.

config user peergrp
    edit pki-users
        set member "pki01"        
    end

Related articles:

Technical Note: Using Certificates to authenticate users in SSL VPN

Technical Note: How to configure IPsec dialup VPN with certificate based authentication