type
status
date
summary
tags
category
URL
password
slug
icon
This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.
1. Generate the CA or root certificate (Certificate Authority)
You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).
1.1 Create the directories to hold the CA certificate.
1.2 Create additional CA files
The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:
1.3 Edit the config file – nano /etc/ssl/openssl.cnf
This specifies the file locations for OPENSSL.
1.4 Generate Root Certificate
Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.
You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.
1.5 Install the Root Certificate and Key
2. Generate Server CSR (Certificate Signing Request) and Key
2.1 Generate Server Key
The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)
2.2 Generate Server CSR
Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates
3. Generate Client CSR (Certificate Signing Request) and key
Repeat step 2 – replacing the word server with client. You should have the following files.
4. Sign both the Server and Client CSR’s
This will create the server and client certificate.
You will now have both the .crt files
5. Generate the .pfx file or pkcs12 Client certificate
This will be installed on the host where application is installed
You should now have the following files:
6. Copy the CA certificate back to your home directory
You will now have all the files you need for certificate authentication.
7. Install the Client certificate on the users computer
Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.
8. Import CA Certificate to Fortigate
Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed
You will now see the certificate installed under Remote CA Certificates.
9. Import Server Certificate to Fortigate
You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).
You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.
PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.
10. Configure PKI user
10.1 You will need to specify a username, your CA certificate, and subject.
10.2 Obtaining the subject from the certificate
Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.
10.3 Add two factor authentication
11. Configure the SSL-VPN settings
You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.
Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.
12. Configure Forticlient
You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.
13. Troubleshooting Commands on the Fortigate
Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.
- Checklist for Fortigate admin access over SSL-VPN
DateJanuary 26, 2021
- How to configure DHCP over IPSEC Dialup VPN using a Fortigate and Ubuntu DHCP server.
DateJanuary 8, 2021
- How to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.
DateJuly 3, 2019
Like this:
- Author:NetSec
- URL:https://blog.51sec.org/article/2d3c15ab-5fe5-48f1-842e-f38efe1cf2c8
- Copyright:All articles in this blog, except for special statements, adopt BY-NC-SA agreement. Please indicate the source!
