Lazy loaded image
Thinkings
How to configure a SSL-VPN with certificate authentication on a Fortigate
00 min
Sep 12, 2024
Nov 23, 2024
type
status
date
summary
tags
category
URL
password
slug
icon
This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.

1. Generate the CA or root certificate (Certificate Authority)

You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).

1.1 Create the directories to hold the CA certificate.

1.2 Create additional CA files

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:

1.3 Edit the config file – nano /etc/ssl/openssl.cnf

This specifies the file locations for OPENSSL.

1.4 Generate Root Certificate

Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.
You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.

1.5 Install the Root Certificate and Key

2. Generate Server CSR (Certificate Signing Request) and Key

2.1 Generate Server Key

The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)

2.2 Generate Server CSR

Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates

3. Generate Client CSR (Certificate Signing Request) and key

Repeat step 2 – replacing the word server with client. You should have the following files.

4. Sign both the Server and Client CSR’s

This will create the server and client certificate.
You will now have both the .crt files

5. Generate the .pfx file or pkcs12 Client certificate

This will be installed on the host where application is installed
You should now have the following files:

6. Copy the CA certificate back to your home directory

You will now have all the files you need for certificate authentication.

7. Install the Client certificate on the users computer

Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.
notion image

8. Import CA Certificate to Fortigate

Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed
notion image
You will now see the certificate installed under Remote CA Certificates.
notion image

9. Import Server Certificate to Fortigate

You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).
notion image
You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.
PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.

10. Configure PKI user

10.1 You will need to specify a username, your CA certificate, and subject.

10.2 Obtaining the subject from the certificate

Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.
notion image

10.3 Add two factor authentication

notion image

11. Configure the SSL-VPN settings

You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.
Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.

12. Configure Forticlient

You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.
notion image

13. Troubleshooting Commands on the Fortigate

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

Like this:

上一篇
同时使用国内CDN和Cloudflare - 夏日冰菓
下一篇
Checklist for Fortigate admin access over SSL-VPN