Fortinet black logo

Administration Guide

SSL certificate based authentication

SSL certificate based authentication

A client certificate is obtained when an endpoint registers to EMS. FortiClient automatically submits a CSR request and the FortiClient EMS signs and returns the client certificate. This certificate is stored in the operating system's certificate store for subsequent connections. The endpoint information is synchronized between the FortiGate and FortiClient EMS. When an endpoint disconnects or is unregistered from EMS, its certificate is removed from the certificate store and revoked on EMS. The endpoint obtains a certificate again when it reconnected the EMS.

By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request is received the FortiGate's WAD process challenges the client to identify itself with its certificate. The FortiGate makes a decision based on the following possibilities:

  1. If the client responds with the correct certificate that the client UID and certificate SN can be extracted from:

    • If the client UID and certificate SN match the record on the FortiGate, the client is allowed to continue with the ZTNA proxy rule processing.

    • If the client UID and certificate SN do not match the record on the FortiGate, the client is blocked from further ZTNA proxy rule processing.

  2. If the client cancels and responds with an empty client certificate:

    • If empty-cert-action is set to accept, the client is allowed to continue with ZTNA proxy rule processing.

    • If empty-cert-action is set to block, the client is blocked from further ZTNA proxy rule processing.

To configure the client certificate actions:
config firewall access-proxy
    edit <name>
        set client-cert {enable | disable}
        set empty-cert-action {accept | block}
    next
end

Example

In this example, a client connects to qa.fortinet.com and is prompted for a client certificate.

  • client-cert is set to enable, and empty-cert-action is set to block.

  • The ZTNA server is configured, and a ZTNA rule is set to allow this client.

  • The domain resolves to the FortiGate access proxy VIP.

Scenario 1:

When prompted for the client certificate, the client clicks OK and provides a valid certificate that is verified by the FortiGate.

Result:

The client passes SSL certificate authentication and is allowed to access the website.

Scenario 2:

When prompted for the client certificate, the client clicks Cancel, resulting in an empty certificate response to the access proxy.

Result:

Because the certificate response is empty and empty-cert-action is set to block, the WAD daemon blocks the connection.

Note

Currently, the Microsoft Edge, Google Chrome, and Safari browsers are supported by ZTNA.

SSL certificate based authentication

A client certificate is obtained when an endpoint registers to EMS. FortiClient automatically submits a CSR request and the FortiClient EMS signs and returns the client certificate. This certificate is stored in the operating system's certificate store for subsequent connections. The endpoint information is synchronized between the FortiGate and FortiClient EMS. When an endpoint disconnects or is unregistered from EMS, its certificate is removed from the certificate store and revoked on EMS. The endpoint obtains a certificate again when it reconnected the EMS.

By default, client certificate authentication is enabled on the access proxy, so when the HTTPS request is received the FortiGate's WAD process challenges the client to identify itself with its certificate. The FortiGate makes a decision based on the following possibilities:

  1. If the client responds with the correct certificate that the client UID and certificate SN can be extracted from:

    • If the client UID and certificate SN match the record on the FortiGate, the client is allowed to continue with the ZTNA proxy rule processing.

    • If the client UID and certificate SN do not match the record on the FortiGate, the client is blocked from further ZTNA proxy rule processing.

  2. If the client cancels and responds with an empty client certificate:

    • If empty-cert-action is set to accept, the client is allowed to continue with ZTNA proxy rule processing.

    • If empty-cert-action is set to block, the client is blocked from further ZTNA proxy rule processing.

To configure the client certificate actions:
config firewall access-proxy
    edit <name>
        set client-cert {enable | disable}
        set empty-cert-action {accept | block}
    next
end

Example

In this example, a client connects to qa.fortinet.com and is prompted for a client certificate.

  • client-cert is set to enable, and empty-cert-action is set to block.

  • The ZTNA server is configured, and a ZTNA rule is set to allow this client.

  • The domain resolves to the FortiGate access proxy VIP.

Scenario 1:

When prompted for the client certificate, the client clicks OK and provides a valid certificate that is verified by the FortiGate.

Result:

The client passes SSL certificate authentication and is allowed to access the website.

Scenario 2:

When prompted for the client certificate, the client clicks Cancel, resulting in an empty certificate response to the access proxy.

Result:

Because the certificate response is empty and empty-cert-action is set to block, the WAD daemon blocks the connection.

Note

Currently, the Microsoft Edge, Google Chrome, and Safari browsers are supported by ZTNA.