PKI users are users who are identified by a digital certificate they hold. Defining a PKI user in FortiOS specifies:
- Which CA certificate to use to validate the user’s certificate
- The field and value of the user’s certificate that FortiOS will check to verify a user
These peer users can then be used in a FortiGate user group, or as a peer certificate group used for IPsec VPN configurations that accept RSA certificate authentication.
Example X.509 certificate
The following certificate demonstrates which FortiGate settings can be used to match on different fields.
Subject:
Subject Alternative Name:
Certification path:
To configure a PKI user:
config user peer
edit <name>
set ca <string>
set mandatory-ca-verify {enable | disable}
set subject <string>
set cn <string>
set cn-type {string | email | FQDN | ipv4 | ipv6}
set mfa-server <string>
set mfa-username <string>
set mfa-password <string>
set mfa-mode {none | password | subject-identity}
next
end
|
ca <string> |
Specify which certificate on the FortiGate is used to validate the client’s certificate. This can be any CA in the client’s certificate chain. You may need to upload a CA certificate to the FortiGate specifically to identify PKI peer users (see CA certificate). |
|
mandatory-ca-verify {enable | disable} |
Control the action if the CA certificate used to sign the client’s certificate is not installed on the FortiGate (default = enable). Disabling this setting makes the FortiGate consider any certificate presented by the peer as valid. In the example certificate, the certification path shows that VF_CA signed jcarrey’s certificate. |
|
subject <string> |
Enter the peer certificate name constraints. |
|
cn <string> |
Enter the peer certificate common name. |
|
cn-type {string | email | FQDN | ipv4 | ipv6} |
Set the peer certificate common name type: string, email, FQDN, IPv4 address, or IPv6 address. See CN for more details. |
|
mfa-server <string> |
Enter the name of a multi-factor authentication server defined under |
|
mfa-mode {none | password | subject-identity} |
Set the mode for remote peer authentication, either by password or subject identity extracted from certificate. See LDAP for more details. |
|
mfa-username <string> |
Enter the username for the remote multi-factor authentication server bind when the MFA mode is password. |
|
mfa-password <string> |
Enter the password for the multi-factor authentication server bind when the MFA mode is password. |
Identifying users based on their client certificate
When the client’s certificate is valid, or mandatory-ca-verify is disabled, the FortiGate can then inspect the certificate to check specific fields for matching values. There are three ways of specifying which certificate field to verify: by subject, CN, or LDAP. All string comparisons are case sensitive.
Subject
This basic method verifies that the subject string defined in the PKI user setting matches a value or substring in the subject field of the user certificate. Further matching is controlled in the following VPN certificate settings.
config vpn certificate setting
set subject-match {substring | value}
set subject-set {superset | subset}
set cn-match {substring | value}
set cn-allow-multi {enable | disable}
end
|
subject-match {substring | value} |
Control how to do relative distinguished name (RDN) value matching with the certificate subject name:
|
|
set subject-set {superset | subset} |
Control how to do RDN value matching with the certificate subject name:
|
|
cn-match {substring | value} |
Control how to do CN value matching with the certificate subject name:
|
|
cn-allow-multi {enable | disable} |
Enable/disable allowing multiple CN entries with the certificate subject name (default = enable). |
CN
Common name (CN) certificate verification compares the CN in the subject field with the configured string (such as set cn "jcarrey". The following logic is used when configuring different CN types:
|
Type |
Action |
|---|---|
|
string |
Based on the |
|
|
Look for a match in the certificate subject. |
|
FQDN |
Look for a match in the certificate subject, then compare the mapped IP and client IP. The FQDN is only retrieved from the CN. |
|
ipv4 |
Look for a match in the certificate subject, then compare the IP. |
|
ipv6 |
Look for a match in the certificate subject, then compare the IP. |
The CN type also controls the format checking of the CN string. In this example, if the CN type is set to email, the CN must be in email format (set cn "jcarrey@fortinet.com").
LDAP
LDAP-integrated user authentication allows the FortiGate to check the connecting user against an LDAP server in two ways: through a username and password, or the certificate’s principal name. The password method requires the username and password of each authenticating user to be entered, so it is not recommended when configuring PKI users. The subject-identity method is recommended.
The UPN in the user certificate’s Subject Alternative Name (SAN) field is used to look up the user in the LDAP directory. The SAN in the certificate for UPN matching can the UPN on the AD LDAP server (default), RFC 822 Name (corporate email address), or DNS name. If a match is found, then authentication succeeds. This type of configuration scales well since only one PKI user needs to be created on the FortiGate. Connecting clients use their unique user certificate to match within the configured LDAP server. See Using the SAN field for LDAP-integrated certificate authentication for an example.