Access to certificates in Windows Certificates Stores
On a Windows system, you can view certificates by using an MMC (Microsoft Management Console) snap-in called Certificates console. For more information, see the following Microsoft TechNet articles:
The Certificates console offers the following snap-in options:
- My user account
- Service account
- Computer account
You can select one or more snap-in options, which display in the Certificates console. FortiClient typically searches for certificates in one of the following accounts:
- User account – contains certificates for the logged on user
- Computer account – contains certificates for the local computer
If the certificate is in the local computer account, FortiClient can typically access the certificate. A certificate from the local computer account may be used to establish an IPsec VPN connection, regardless of whether the logged on user is an administrator or a non-administrator. For SSL VPN and IPsec VPN, the administrator needs to grant permission to users who are non-administrators to access the private key of the certificate. Otherwise, non-administrators cannot use the certificate in the computer account to establish SSL VPN connections. This restriction does not apply to any user with administrator level permission.
If the certificate is in the user account, FortiClient can access the certificate, if the user has already successfully logged in, and the same user imported the certificate. In all other scenarios, FortiClient may be unable to access the certificate.
The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate for users who are logged into the endpoint and connecting VPN tunnels:
Account |
Connect VPN using FortiClient GUI or FortiTray |
|
---|---|---|
|
Logged in user with admin privilege |
Logged in user with non-admin privilege |
User account |
Yes, certificate found, if the same administrator user imported the certificate |
Yes, certificate found, if the same user imported the certificate |
Computer account |
Yes, certificate found |
IPsec VPN: Yes, certificate found, if access permission granted to private key SSL VPN: Yes, certificate found, if access permission granted to private key |
SmartCard |
Yes, certificate found, if same user that was logged on at the time card was inserted |
Yes, certificate found, if same user that was logged on at the time card was inserted |
When a user imports a certificate into the user account, a different logged on user cannot access the same certificate. |
A certificate on a smart card is imported into the user account of the logged on user. As a result, the same conditions apply as with the user account. |
FortiClient (Linux) does not support smart card. |
The following table summarizes when FortiClient can (yes) and cannot (no) locate the certificate before a user logs into the endpoint:
Account |
Unknown user before logging into Windows |
---|---|
User account |
No certificate found |
Computer account |
Yes certificate found |
SmartCard |
No certificate found |