Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Certificate-based Web UI login

Different from username/password authentication, certificate-based authentication is the use of a digital certificate, which includes asymmetric cryptography, to identify a user before granting access to a resource. FortiWeb supports the certificate-based authentication for administrators' Web UI login. FortiWeb control an administrator's login by verifying his certificate if he connects to the Web UI through HTTPS. By default, the certificate-based authentication can coexist with original username/password authentication.

  • If you connect to the Web UI through HTTPS, FortiWeb first verifies the certificate you provided.
    • If your certificate is valid, then your access to Web UI will be granted (the username/password login page will not be displayed).
    • If you fail in the certificate authentication, you will be directed to the username/password login page.
  • If you connect to the Web UI through HTTP, FortiWeb will only verify your access by the username/password.

However, FortiWeb can also operate with only the certificate-based authentication through the CLI:

config system global

set admin-https-pki-required {enable | disable}

end

When admin-https-pki-required is enabled, the certificate-based authentication is the only authentication method that FortiWeb uses to verify the Web UI accesses. The administrator's access to the Web UI must be in HTTPS and a correct certificate must be provided for the authentication to be successful. The original username/password authentication will be disabled (No username/password login page will be displayed). If you fail the certificate authentication process, you will not be logged in to the web UI.

To apply certificate-based authentication to an administrator, complete these tasks:

  1. To upload the CA's certificate of the administrator's certificate
  2. To create a PKI user
  3. To add the PKI user to an Admin group
  4. To apply the Admin group to an administrator
To upload the CA's certificate of the administrator's certificate
  1. Obtain a copy of your CA’s certificate file.
  2. Go to System > Admin > Certificates and select the Admin Cert CA tab.
    You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
    To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
  3. To upload a certificate, click Import.
  4. To select a certificate, do one of the following:
  • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

    To specify a specific CA, type an identifier in the field below the URL.

  • Enable Local PC and browse to find a certificate file.
  • Click OK.
  • To upload the intermediate CA for the administrator

    If the certificate you are applying for HTTPS access to FortiWeb's GUI management is signed by several intermediate CAs, you need to import all the intermediate CA certificates of the certificate chain. FortiWeb will then send the intermediate CA certificates together with the server certificate when administrators access FortiWeb's GUI via HTTPS.

    1. Obtain a copy of your CA’s intermediate certificate file.
    2. Go to System > Admin > Certificates and select the Admin Intermediate CA tab.
      You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. To upload a certificate, click Import.
    4. To select a certificate, do one of the following:
      • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

        To specify a specific CA, type an identifier in the field below the URL.

      • Enable Local PC and browse to find a certificate file.
    5. Click OK.
    6. Go to System > Admin > Certificates and select the Admin Intermediate CA Group tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    7. Click Create New.
    8. In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    9. Click OK.
    10. Click Create New.
    11. In ID, type the index number of the host entry within the group, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
    12. In CA, select the name of an admin intermediary CA’s certificate that you previously uploaded and want to add to the group.
    13. Click OK.
    14. Repeat the previous steps for each intermediary CA certificate that you want to add to the group.
    15. To apply an intermediary CA certificate group, select it for HTTPS Server Intermediate CA Group in System > Admin > Settings.

    FortiWeb appliance will send the intermediate CA certificates together with the server certificate when administrators access FortiWeb's GUI via HTTPS.

    To create a PKI user

    1. Go to User > PKI User.
    2. You can click Edit to edit the selected PKI user.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see Permissions.
    3. To create a PKI user, click Create New.
    4. Complete the following settings:
    5. Name Enter the PKI user name for the administrator.
      Subject
      Enter the subject of the administrator's certificate, such as "C = US, ST = Washington, O = yourorganization, CN = yourname".
      CA Select the CA certificate of the administrator's certificate. All the certificates imported in System > Admin > Admin Cert CA will be listed here. For details, see To upload the CA's certificate of the administrator's certificate.
    6. Click OK.

    To add the PKI user to an Admin group

    1. Go to User > User Group > Admin Group.
      To access this part of the web UI, your administrator's account access profile must have Read and Writepermission to items in the Auth Users category. For details, see Permissions.
    2. Click Create New.
    3. In Name, type a name that can be referenced by other parts of the configuration, such as admin-remote-auth1. Do not use special characters. The maximum length is 63 characters.
    4. Click OK.
      The Create New button for this item, below its name, will no longer be greyed out, indicating that it has become available.
    5. Click Create New.
    6. For User Type, select the PKI User type.
    7. From Name, select the name of an existing PKI users that you created in User > PKI User > PKI User. For details, see To create a PKI user.
    8. Click OK.

    To apply the Admin group to an administrator

    Go to System > Admin > Administrators and apply the Admin group containing the PKI user to a corresponding administrator by selecting Remote User as the Type and selecting the group in Admin User Group.

    Administrators have to install their certificates to their local browsers first. Every time you use the browser to connect to FortiWeb's Web UI through HTTPS, you will be required to select one of the certificates installed in the browser for authenticate yourself to FortiWeb. FortiWeb verifies the certificate you provided with the PKI users in Admin groups. If you are succeed in the authentication, you will be associated with the administrator account that the matched PKI user and Admin group are applied to, and the access profile will be applied to you.

    Certificate-based Web UI login

    Different from username/password authentication, certificate-based authentication is the use of a digital certificate, which includes asymmetric cryptography, to identify a user before granting access to a resource. FortiWeb supports the certificate-based authentication for administrators' Web UI login. FortiWeb control an administrator's login by verifying his certificate if he connects to the Web UI through HTTPS. By default, the certificate-based authentication can coexist with original username/password authentication.

    • If you connect to the Web UI through HTTPS, FortiWeb first verifies the certificate you provided.
      • If your certificate is valid, then your access to Web UI will be granted (the username/password login page will not be displayed).
      • If you fail in the certificate authentication, you will be directed to the username/password login page.
    • If you connect to the Web UI through HTTP, FortiWeb will only verify your access by the username/password.

    However, FortiWeb can also operate with only the certificate-based authentication through the CLI:

    config system global

    set admin-https-pki-required {enable | disable}

    end

    When admin-https-pki-required is enabled, the certificate-based authentication is the only authentication method that FortiWeb uses to verify the Web UI accesses. The administrator's access to the Web UI must be in HTTPS and a correct certificate must be provided for the authentication to be successful. The original username/password authentication will be disabled (No username/password login page will be displayed). If you fail the certificate authentication process, you will not be logged in to the web UI.

    To apply certificate-based authentication to an administrator, complete these tasks:

    1. To upload the CA's certificate of the administrator's certificate
    2. To create a PKI user
    3. To add the PKI user to an Admin group
    4. To apply the Admin group to an administrator
    To upload the CA's certificate of the administrator's certificate
    1. Obtain a copy of your CA’s certificate file.
    2. Go to System > Admin > Certificates and select the Admin Cert CA tab.
      You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. To upload a certificate, click Import.
    4. To select a certificate, do one of the following:
    • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

      To specify a specific CA, type an identifier in the field below the URL.

    • Enable Local PC and browse to find a certificate file.
  • Click OK.
  • To upload the intermediate CA for the administrator

    If the certificate you are applying for HTTPS access to FortiWeb's GUI management is signed by several intermediate CAs, you need to import all the intermediate CA certificates of the certificate chain. FortiWeb will then send the intermediate CA certificates together with the server certificate when administrators access FortiWeb's GUI via HTTPS.

    1. Obtain a copy of your CA’s intermediate certificate file.
    2. Go to System > Admin > Certificates and select the Admin Intermediate CA tab.
      You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    3. To upload a certificate, click Import.
    4. To select a certificate, do one of the following:
      • Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

        To specify a specific CA, type an identifier in the field below the URL.

      • Enable Local PC and browse to find a certificate file.
    5. Click OK.
    6. Go to System > Admin > Certificates and select the Admin Intermediate CA Group tab.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
    7. Click Create New.
    8. In Name, type a name that can be referenced by other parts of the configuration. The maximum length is 63 characters.
    9. Click OK.
    10. Click Create New.
    11. In ID, type the index number of the host entry within the group, or keep the field’s default value of auto to let the FortiWeb appliance automatically assign the next available index number.
    12. In CA, select the name of an admin intermediary CA’s certificate that you previously uploaded and want to add to the group.
    13. Click OK.
    14. Repeat the previous steps for each intermediary CA certificate that you want to add to the group.
    15. To apply an intermediary CA certificate group, select it for HTTPS Server Intermediate CA Group in System > Admin > Settings.

    FortiWeb appliance will send the intermediate CA certificates together with the server certificate when administrators access FortiWeb's GUI via HTTPS.

    To create a PKI user

    1. Go to User > PKI User.
    2. You can click Edit to edit the selected PKI user.
      To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see Permissions.
    3. To create a PKI user, click Create New.
    4. Complete the following settings:
    5. Name Enter the PKI user name for the administrator.
      Subject
      Enter the subject of the administrator's certificate, such as "C = US, ST = Washington, O = yourorganization, CN = yourname".
      CA Select the CA certificate of the administrator's certificate. All the certificates imported in System > Admin > Admin Cert CA will be listed here. For details, see To upload the CA's certificate of the administrator's certificate.
    6. Click OK.

    To add the PKI user to an Admin group

    1. Go to User > User Group > Admin Group.
      To access this part of the web UI, your administrator's account access profile must have Read and Writepermission to items in the Auth Users category. For details, see Permissions.
    2. Click Create New.
    3. In Name, type a name that can be referenced by other parts of the configuration, such as admin-remote-auth1. Do not use special characters. The maximum length is 63 characters.
    4. Click OK.
      The Create New button for this item, below its name, will no longer be greyed out, indicating that it has become available.
    5. Click Create New.
    6. For User Type, select the PKI User type.
    7. From Name, select the name of an existing PKI users that you created in User > PKI User > PKI User. For details, see To create a PKI user.
    8. Click OK.

    To apply the Admin group to an administrator

    Go to System > Admin > Administrators and apply the Admin group containing the PKI user to a corresponding administrator by selecting Remote User as the Type and selecting the group in Admin User Group.

    Administrators have to install their certificates to their local browsers first. Every time you use the browser to connect to FortiWeb's Web UI through HTTPS, you will be required to select one of the certificates installed in the browser for authenticate yourself to FortiWeb. FortiWeb verifies the certificate you provided with the PKI users in Admin groups. If you are succeed in the authentication, you will be associated with the administrator account that the matched PKI user and Admin group are applied to, and the access profile will be applied to you.