Public Key Infrastructure
Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.
To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:
- an X.509 certificate for the FortiManager administrator (administrator certificate)
- an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)
For more information on the CSR generation process, see Local certificates.
To get the CA certificate:
- Log into your FortiAuthenticator.
- Go to Certificate Management > Certificate Authorities > Local CAs.
- Select the certificate and select Export in the toolbar to save the
ca_fortinet.com
CA certificate to your management computer. The saved CA certificate’s filename isca_fortinet.com.crt
.
To get the administrator certificate:
- Log into your FortiAuthenticator.
- Go to Certificate Management > End Entities > Users.
- Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is
admin_fortinet.com.p12
. This PCKS#12 file is password protected. You must enter a password on export.
To import the administrator certificate into your browser:
- In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
- Select the file
admin_fortinet.com.p12
and enter the password used in the previous step.
To import the CA certificate into the FortiAnalyzer:
- Log into your FortiAnalyzer.
- Go to System Settings > Certificates > CA Certificates.
- Click Import, and browse for the
ca_fortinet.com.crt
file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.
To create a new PKI administrator account:
- Go to System Settings > Admin > Administrator.
- Click Create New. The New Administrator dialog box opens.
See Creating administrators for more information.
- Select PKI for the Admin Type.
- Enter a comment in the Subject field for the PKI administrator.
- Select the CA certificate from the dropdown list in the CA field.
- Click OK to create the new administrator account.
PKI authentication must be enabled via the FortiAnalyzer CLI with the following commands: config system global set clt-cert-req enable end |
When connecting to the FortiAnalyzer GUI, you must use HTTPS when using PKI certificate authentication. |
When |