Fortinet black logo

Administration Guide

Access to certificates in Windows Certificates Stores

Access to certificates in Windows Certificates Stores

On a Windows system, you can view certificates by using an MMC (Microsoft Management Console) snap-in called Certificates console. For more information, see the following Microsoft TechNet articles:

The Certificates console offers the following snap-in options:

  • My user account
  • Service account
  • Computer account

You can select one or more snap-in options, and they will display in the Certificates console. FortiClient typically searches for certificates in one of the following accounts:

  • User account – contains certificates for the logged on user
  • Computer account – contains certificates for the local computer

If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged on user is an administrator or a non-administrator. For SSL VPN and IPsec VPN, the administrator needs to grant permission to users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not apply to any user with administrator level permission.

If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully logged in, and the same user imported the certificate. In all other scenarios, FortiClient may be unable to access the certificate.

The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who are logged into the endpoint and connecting VPN tunnels:

Account

Connect VPN using FortiClient GUI or FortiTray

Logged in user with admin privilege

Logged in user with non-admin privilege

User account

Yes, certificate found, if the same administrator user imported the certificate

Yes, certificate found, if the same user imported the certificate

Computer account

Yes, certificate found

IPsec VPN: Yes, certificate found, if access permission granted to private key

SSL VPN: Yes, certificate found, if access permission granted to private key

SmartCard

Yes, certificate found, if same user that was logged on at the time card was inserted

Yes, certificate found, if same user that was logged on at the time card was inserted

When a user imports a certificate into the user account, a different logged on user cannot access the same certificate.

A certificate on a smart card is imported into the user account of the logged on user. As a result, the same conditions apply as with the user account.

The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate before a user logs into the endpoint:

Account

Unknown user before logging into Windows

User account

No certificate found

Computer account

Yes certificate found

SmartCard

No certificate found

Access to certificates in Windows Certificates Stores

On a Windows system, you can view certificates by using an MMC (Microsoft Management Console) snap-in called Certificates console. For more information, see the following Microsoft TechNet articles:

The Certificates console offers the following snap-in options:

  • My user account
  • Service account
  • Computer account

You can select one or more snap-in options, and they will display in the Certificates console. FortiClient typically searches for certificates in one of the following accounts:

  • User account – contains certificates for the logged on user
  • Computer account – contains certificates for the local computer

If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged on user is an administrator or a non-administrator. For SSL VPN and IPsec VPN, the administrator needs to grant permission to users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not apply to any user with administrator level permission.

If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully logged in, and the same user imported the certificate. In all other scenarios, FortiClient may be unable to access the certificate.

The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who are logged into the endpoint and connecting VPN tunnels:

Account

Connect VPN using FortiClient GUI or FortiTray

Logged in user with admin privilege

Logged in user with non-admin privilege

User account

Yes, certificate found, if the same administrator user imported the certificate

Yes, certificate found, if the same user imported the certificate

Computer account

Yes, certificate found

IPsec VPN: Yes, certificate found, if access permission granted to private key

SSL VPN: Yes, certificate found, if access permission granted to private key

SmartCard

Yes, certificate found, if same user that was logged on at the time card was inserted

Yes, certificate found, if same user that was logged on at the time card was inserted

When a user imports a certificate into the user account, a different logged on user cannot access the same certificate.

A certificate on a smart card is imported into the user account of the logged on user. As a result, the same conditions apply as with the user account.

The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate before a user logs into the endpoint:

Account

Unknown user before logging into Windows

User account

No certificate found

Computer account

Yes certificate found

SmartCard

No certificate found