With Microsoft Active Directory as the Root CA, use Group Policy Management to deploy client certificates to domain computers. This is the certificate that will be used to validate RADIUS requests.
- In Active Directory > Group Policy Management, create a new Group Policy Object (GPO) with settings configured for auto-enrollment.
- Link the GPO to the OU where the client computers are located.
The computer account in Active Directory must use the attribute
dNSHostNamewith the value of the computer's name. This attribute is used later on FortiAuthenticator when creating the user remote sync rule.
- On the FortiGate, go to System > Certificates, and click Import > CA Certificate. Configure the following settings, and click OK when complete.
- Type: File.
- Upload: Click Upload and browse to the location of your certificate.
- On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import. Configure the following settings, and click OK when complete.
- Certificate ID: Enter the certificate ID.
- Certificate: Click Upload a file and browse to the location of your certificate.
Once the Root CA is configured, you can issue certificates from AD to both the FortiGate and the FortiAuthenticator.