mTLS client certificate authentication

FortiGate supports client certificate authentication used in mutual Transport Layer Security (mTLS) communication between a client and server. Clients are issued certificates by the CA, and an access proxy configured on the FortiGate uses the new certificate method in the authentication scheme to identify and approve the certificate provided by the client when they try to connect to the access proxy. The FortiGate can also add the HTTP header X-Forwarded-Client-Cert to forward the certificate information to the server.

Examples

In these examples, the access proxy VIP IP address is 10.1.100.200.

Example 1

In this example, clients are issued unique client certificates from your CA. The FortiGate authenticates the clients by their user certificate before allowing them to connect to the access proxy. The access server acts as a reverse proxy for the web server that is behind the FortiGate.

This example assumes that you have already obtained the public CA certificate from your CA, the root CA of the client certificate has been imported (CA_Cert_1), and the client certificate has been distributed to the endpoints.

To configure the FortiGate:
  1. Configure user authentication. Both an authentication scheme and rule must be configured, as the authentication is applied on the access proxy:

    config authentication scheme
        edit "mtls"
            set method cert
            set user-cert enable
        next
    end
    config authentication rule
        edit "mtls"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set active-auth-method "mtls"
        next
    end
  2. Select the CA or CAs used to verify the client certificate:

    config authentication setting
        set user-cert-ca "CA_Cert_1"
    end
  3. Configure the users. Users can be matched based on either the common-name on the certificate or the trusted issuer.

    • Verify the user based on the common name on the certificate:

      config user certificate
          edit "single-certificate"
              set type single-certificate
              set common-name "client.fortinet.com"
          next
      end
    • Verify the user based on the CA issuer:

      config user certificate
          edit "trusted-issuer"
              set type trusted-issuer
              set issuer "CA_Cert_1"
          next
      end
  4. Configure the access proxy VIP. The SSL certificate is the server certificate that is presented to the user as they connect:

    config firewall vip
        edit "mTLS"
            set type access-proxy
            set extip 10.1.100.200
            set extintf "port2"
            set server-type https
            set extport 443
            set ssl-certificate "Fortinet_CA_SSL"
        next
    end
  5. Configure the access proxy policy, including the real server to be mapped. To request the client certificate for authentication, client-cert is enabled:

    config firewall access-proxy
        edit "mTLS-access-proxy"
            set vip "mTLS"
            set client-cert enable
            set empty-cert-action accept
            config api-gateway
                edit 1