FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication between a client and server. Clients are issued certificates by the CA, and an access proxy configured on the FortiGate uses the new certificate method in the authentication scheme to identify and approve the certificate provided by the client when they try to connect to the access proxy. The FortiGate can also add the HTTP header X-Forwarded-Client-Cert to forward the certificate information to the server.
In these examples, the access proxy VIP IP address is 10.1.100.200.
In this example, clients are issued unique client certificates from your CA. The FortiGate authenticates the clients by their user certificate before allowing them to connect to the access proxy. The access server acts as a reverse proxy for the web server that is behind the FortiGate.
This example assumes that you have already obtained the public CA certificate from your CA, the root CA of the client certificate has been imported (
CA_Cert_1), and the client certificate has been distributed to the endpoints.
Configure user authentication. Both an authentication scheme and rule must be configured, as the authentication is applied on the access proxy:
config authentication scheme edit "mtls" set method cert set user-cert enable next end
config authentication rule edit "mtls" set srcintf "port2" set srcaddr "all" set dstaddr "all" set active-auth-method "mtls" next end
Select the CA or CAs used to verify the client certificate:
config authentication setting set user-cert-ca "CA_Cert_1" end
Configure the users. Users can be matched based on either the common-name on the certificate or the trusted issuer.
Verify the user based on the common name on the certificate:
config user certificate edit "single-certificate" set type single-certificate set common-name "client.fortinet.com" next end
Verify the user based on the CA issuer:
config user certificate edit "trusted-issuer" set type trusted-issuer set issuer "CA_Cert_1" next end
Configure the access proxy VIP. The SSL certificate is the server certificate that is presented to the user as they connect:
config firewall vip edit "mTLS" set type access-proxy set extip 10.1.100.200 set extintf "port2" set server-type https set extport 443 set ssl-certificate "Fortinet_CA_SSL" next end
Configure the access proxy policy, including the real server to be mapped. To request the client certificate for authentication,
config firewall access-proxy edit "mTLS-access-proxy" set vip "mTLS" set client-cert enable set empty-cert-action accept config api-gateway edit 1