FortiClientVPN iOS Certificate Passphrase

JP42 · ‎05-05-2023

Greetings all,

I'm having an issue which I get the sense will be a simple fix but I'm at a bit of a loss. I'm trying to add a certificate to iOS to use for connecting to a fortigate vpn. I have no trouble getting the certificate onto the iphone and forticlient detecting it, but its asking for a passphrase.

I generated a certificate key pair via Easy-RSA and was able to upload them to the Fortigate without issue. The private key has a password so I was able to enter that into Fortigate without issue. But on the iphone, my understanding is its just the one file, and it needs to be the certificate, which does not have a password. But the app will not let it be used without a password, and leaving it blank returns incorrect passphrase.

What am I doing wrong? I'd appreciate any help. Thanks!

JP42 · ‎05-08-2023

Correct, setup a CA, made the certificate key pairs, signed, etc.

I noted that I already had the certificates in the original post.

I figured it out last night - they couldn't be .key and .crt files. Even renaming them as someone instructed another poster was not sufficient. They had to be exported as .p12 files, which combines the private key and certificate, and is password protected.

Thanks for trying to assist though! I appreciate it.

View solution in original post

AEK · ‎05-07-2023

Hello

Can you add a screenshot?

AEK

JP42 · ‎05-07-2023

JP42 · ‎05-07-2023

This message pops up after I select the file and when I try to save the configuration.

ebilcari · ‎05-07-2023

I suspect you are trying to add the certificate on the filed that is used for user certificate based authentication. If you are trying to configure username/password authentication only, no client certificate is needed. As long as the device has the the certificate trusted in its store the authentication will succeed.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

JP42 · ‎05-07-2023

That is correct, and is my intention. I don't want to rely on just username/pw or even 2fa.

ebilcari · ‎05-08-2023

In that case you need to create dedicated certificates (+ private key) and apply for each user that will use the VPN. Details are explained here: https://docs.fortinet.com/document/forticlient/7.0.0/ios-administration-guide/428118/ssl-vpn

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

JP42 · ‎05-08-2023

Correct, setup a CA, made the certificate key pairs, signed, etc.

I noted that I already had the certificates in the original post.

I figured it out last night - they couldn't be .key and .crt files. Even renaming them as someone instructed another poster was not sufficient. They had to be exported as .p12 files, which combines the private key and certificate, and is password protected.

Thanks for trying to assist though! I appreciate it.

Pollux33 · ‎08-23-2024

As this was the top Google result:

Should you generate the p12 user certificate with openssl 3+ -> IOS requires the use of the -legacy flag when generating it. Otherwise the Fortigate client will give you the bad / wrong passphrase error.

openssl pkcs12 -export -legacy -out ${user}.p12 -inkey ${user}.key -in ${user}.crt -certfile ca.crt -passout env:P12_PASS

If you export / rename the file with the fctp12 extension like -out ${user}.fctp12 you can import it directly from a mail client into the ios version of fortigate.

FortiClientVPN iOS Certificate Passphrase

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website