Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiClient 6.0.9 Administration Guide
    6.0.9
    7.4.1
    7.4.0
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0

    Access to certificates in Windows Certificates Stores

    Access to certificates in Windows Certificates Stores

    On a Windows system, you can view certificates by using an MMC (Microsoft Management Console) snap-in called Certificates console. For more information, see the following Microsoft TechNet articles:

    The Certificates console offers the following snap-in options:

    • My user account
    • Service account
    • Computer account

    You can select one or more snap-in options, and they will display in the Certificates console. FortiClient typically searches for certificates in one of the following accounts:

    • User account – contains certificates for the logged on user
    • Computer account – contains certificates for the local computer

    If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged on user is an administrator or a non-administrator. For SSL VPN and IPsec VPN, the administrator needs to grant permission to users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not apply to any user with administrator level permission.

    If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully logged in, and the same user imported the certificate. In all other scenarios, FortiClient may be unable to access the certificate.

    The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who are logged into the endpoint and connecting VPN tunnels:

    Account

    Connect VPN using FortiClient GUI or FortiTray

    Logged in user with admin privilege

    Logged in user with non-admin privilege

    User account

    Yes, certificate found, if the same administrator user imported the certificate

    Yes, certificate found, if the same user imported the certificate

    Computer account

    Yes, certificate found

    IPsec VPN: Yes, certificate found, if access permission granted to private key

    SSL VPN: Yes, certificate found, if access permission granted to private key

    SmartCard

    Yes, certificate found, if same user that was logged on at the time card was inserted

    Yes, certificate found, if same user that was logged on at the time card was inserted

    When a user imports a certificate into the user account, a different logged on user cannot access the same certificate.

    A certificate on a smart card is imported into the user account of the logged on user. As a result, the same conditions apply as with the user account.

    The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate before a user logs into the endpoint:

    Account

    Unknown user before logging into Windows

    User account

    No certificate found

    Computer account

    Yes certificate found

    SmartCard

    No certificate found
    Previous
    Next

    Access to certificates in Windows Certificates Stores

    Access to certificates in Windows Certificates Stores

    On a Windows system, you can view certificates by using an MMC (Microsoft Management Console) snap-in called Certificates console. For more information, see the following Microsoft TechNet articles:

    The Certificates console offers the following snap-in options:

    • My user account
    • Service account
    • Computer account

    You can select one or more snap-in options, and they will display in the Certificates console. FortiClient typically searches for certificates in one of the following accounts:

    • User account – contains certificates for the logged on user
    • Computer account – contains certificates for the local computer

    If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged on user is an administrator or a non-administrator. For SSL VPN and IPsec VPN, the administrator needs to grant permission to users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not apply to any user with administrator level permission.

    If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully logged in, and the same user imported the certificate. In all other scenarios, FortiClient may be unable to access the certificate.

    The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who are logged into the endpoint and connecting VPN tunnels:

    Account

    Connect VPN using FortiClient GUI or FortiTray

    Logged in user with admin privilege

    Logged in user with non-admin privilege

    User account

    Yes, certificate found, if the same administrator user imported the certificate

    Yes, certificate found, if the same user imported the certificate

    Computer account

    Yes, certificate found

    IPsec VPN: Yes, certificate found, if access permission granted to private key

    SSL VPN: Yes, certificate found, if access permission granted to private key

    SmartCard

    Yes, certificate found, if same user that was logged on at the time card was inserted

    Yes, certificate found, if same user that was logged on at the time card was inserted

    When a user imports a certificate into the user account, a different logged on user cannot access the same certificate.

    A certificate on a smart card is imported into the user account of the logged on user. As a result, the same conditions apply as with the user account.

    The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate before a user logs into the endpoint:

    Account

    Unknown user before logging into Windows

    User account

    No certificate found

    Computer account

    Yes certificate found

    SmartCard

    No certificate found
    Previous
    Next