Configuring the certificates
- On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Local CAs and create a new root CA.
- Go to Certificate Management > End Entities > Local Services and configure a certificate used for EAP-TLS.
- Go to Authentication > RADIUS Service > EAP and set up the EAP configuration.
- Go to Certificate Management > End Entities > Users and create a client certificate. The CN must match the AD user name.
If client certificates were not created by FortiAuthenticator, the 3rd-party server certificate would be uploaded on to FortiAuthenticator as a Trusted CA.
In this example, FortiAuthenticator creates the client certificates.
Select Export Key and Cert (with a Passphrase to protect it) and download the PKCS#12 file.
The client certificate can be pushed out using Group Policy Object (GPO). Otherwise, it can be imported manually.