Fortinet white logo
Fortinet white logo

Administration Guide

Public Key Infrastructure

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

  • an X.509 certificate for the FortiManager administrator (administrator certificate)
  • an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)
To get the CA certificate:
  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > Certificate Authorities > Local CAs.
  3. Select the certificate and select Export in the toolbar to save the ca_fortinet.com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.
To get the administrator certificate:
  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > End Entities > Users.
  3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is admin_fortinet.com.p12. This PCKS#12 file is password protected. You must enter a password on export.
To import the administrator certificate into your browser:
  1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
  2. Select the file admin_fortinet.com.p12 and enter the password used in the previous step.
To import the CA certificate into the FortiAnalyzer:
  1. Log into your FortiAnalyzer.
  2. Go to System Settings > Certificates > CA Certificates.
  3. Click Import, and browse for the ca_fortinet.com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.
To create a new PKI administrator account:
  1. Go to System Settings > Admin > Administrator.
  2. Click Create New. The New Administrator dialog box opens.

    See Creating administrators for more information.

  3. Select PKI for the Admin Type.
  4. Enter a comment in the Subject field for the PKI administrator.
  5. Select the CA certificate from the dropdown list in the CA field.
  6. Click OK to create the new administrator account.

PKI authentication must be enabled via the FortiAnalyzer CLI with the following commands:

config system global

set clt-cert-req enable

end

When connecting to the FortiAnalyzer GUI, you must use HTTPS when using PKI certificate authentication.

When both set clt-cert-req and set admin-https-pki-required are enabled, only PKI administrators can connect to the FortiAnalyzer GUI.

Public Key Infrastructure

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

  • an X.509 certificate for the FortiManager administrator (administrator certificate)
  • an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)
To get the CA certificate:
  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > Certificate Authorities > Local CAs.
  3. Select the certificate and select Export in the toolbar to save the ca_fortinet.com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.
To get the administrator certificate:
  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > End Entities > Users.
  3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is admin_fortinet.com.p12. This PCKS#12 file is password protected. You must enter a password on export.
To import the administrator certificate into your browser:
  1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
  2. Select the file admin_fortinet.com.p12 and enter the password used in the previous step.
To import the CA certificate into the FortiAnalyzer:
  1. Log into your FortiAnalyzer.
  2. Go to System Settings > Certificates > CA Certificates.
  3. Click Import, and browse for the ca_fortinet.com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.
To create a new PKI administrator account:
  1. Go to System Settings > Admin > Administrator.
  2. Click Create New. The New Administrator dialog box opens.

    See Creating administrators for more information.

  3. Select PKI for the Admin Type.
  4. Enter a comment in the Subject field for the PKI administrator.
  5. Select the CA certificate from the dropdown list in the CA field.
  6. Click OK to create the new administrator account.

PKI authentication must be enabled via the FortiAnalyzer CLI with the following commands:

config system global

set clt-cert-req enable

end

When connecting to the FortiAnalyzer GUI, you must use HTTPS when using PKI certificate authentication.

When both set clt-cert-req and set admin-https-pki-required are enabled, only PKI administrators can connect to the FortiAnalyzer GUI.