Public Key Infrastructure
Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.
To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:
- an X.509 certificate for the FortiManager administrator (administrator certificate)
- an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)
To get the CA certificate:
- Log into your FortiAuthenticator.
- Go to Certificate Management > Certificate Authorities > Local CAs.
- Select the certificate and select Export in the toolbar to save the
ca_fortinet.com
CA certificate to your management computer. The saved CA certificate’s filename isca_fortinet.com.crt
.
To get the administrator certificate:
- Log into your FortiAuthenticator.
- Go to Certificate Management > End Entities > Users.
- Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is
admin_fortinet.com.p12
. This PCKS#12 file is password protected. You must enter a password on export.
To import the administrator certificate into your browser:
- In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
- Select the file
admin_fortinet.com.p12
and enter the password used in the previous step.
To import the CA certificate into the FortiAnalyzer:
- Log into your FortiAnalyzer.
- Go to System Settings > Certificates > CA Certificates.
- Click Import, and browse for the
ca_fortinet.com.crt
file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.
To create a new PKI administrator account:
- Go to System Settings > Admin > Administrator.
- Click Create New. The New Administrator dialog box opens.
See Creating administrators for more information.
- Select PKI for the Admin Type.
- Enter a comment in the Subject field for the PKI administrator.
- Select the CA certificate from the dropdown list in the CA field.
- Click OK to create the new administrator account.
PKI authentication must be enabled via the FortiAnalyzer CLI with the following commands: config system global set clt-cert-req enable end |
When connecting to the FortiAnalyzer GUI, you must use HTTPS when using PKI certificate authentication. |
When both |