Configuring certificate authentication for FortiAuthenticator
To configure a local root CA:
- Go to Certificate Management > Certificate Authorities > Local CAs, and select Create New.
The Create New Local CA Certificate window opens.
- In Certificate ID, enter a unique ID for the CA.
- Ensure that the Certificate type is Root CA.
- In Name(CN), enter the subject name, e.g., a domain name.
- Click OK.
To export the local root CA:
- Go to Certificate Management > Certificate Authorities > Local CAs.
- From the local CA certificate list, select the local root CA created in Configuring a local root CA, and select Export Certificate.
The public certificate for the CA is downloaded to your computer, and the certificate is later imported to FortiGate. See Importing local root CA.
To create a server certificate for FortiAuthenticator signed by the CA:
- Go Certificate Management > End Entities > Local Services, and select Create New.
The Create New Server Certificate window opens.
- In Certificate ID, enter a unique ID for the certificate.
- In the Certificate Signing Options pane, ensure that the Issuer is Local CA and the Certificate authority is the local CA created in Configuring a local root CA.
- In the Subject Information pane, for Name(CN), enter the FQDN of the server.
The certificate is used when configuring the zero trust tunnel. See Configuring a zero trust tunnel on FortiAuthenticator.
To import the local root CA to FortiGate:
-
Go to System > Certificates, and from the Create/Import dropdown, select CA Certificate.
The Import CA Certificate window opens.
- In Type, select File.
- Select Upload, and locate the local root certificate created in Configuring a local root CA on your computer.
- Click OK.
The imported root CA is available with the name
CA_Cert_X
whereX
denotes the number of certificates imported.The Issuer field for the imported root CA is the Name(CN) you gave it.
To rename the root CA on FortiGate:
In the CLI console, enter the following commands:
config vpn certificate ca
rename <cert> to <new name>
To create an address object on FortiGate for FortiAuthenticator:
- Go to Policy & Objects > Addresses, and from the Create New dropdown, select Address.
The New Address window opens.
- In Name, enter a name for the address.
- In IP/Netmask, enter the public IP address of the FortiAuthenticator with its subnet mask.
For FortiTrust Identity,
154.52.4.227
is the fixed WAN IP address for FortiAuthenticator Cloud to build zero trust tunnels into an on-prem environment.Use the IP address with its subnet mask.
- Click OK.
The address is used when Configuring an authentication rule.
To configure an authentication scheme with user-cert
enabled:
- Go to Policy & Objects > Authentication Rules.
- From the Create New dropdown, select Authentication Schemes.
The New Authentication Scheme window opens.
- In Name, enter a name for the authentication scheme.
- In Method:
- Select + to open the Select Entries window.
- Select Certificate.
- Select Close.
- Click OK.
Alternatively, in the CLI console, enter the following commands:
config authentication scheme
edit "test_scheme" #The authentication scheme name
set method cert
set user-cert enable
next
end
To configure an authentication rule that uses the authentication scheme:
- Go to Policy & Objects > Authentication Rules.
- From the Create New dropdown, select Authentication Rules.
The Add New Rule window opens.
- In Name, enter a name for the authentication rule.
- In Source Address:
- Select + to open the Select Entries window.
- Search and select the address object for FortiAuthenticator. See Address object for FortiAuthenticator.
- Select Close.
- In Incoming interface:
- From the dropdown, select the external interface used in Configuring a ZTNA server.
- Enable Authentication Scheme and from the dropdown select the authentication scheme created in Creating an authentication scheme.
- Set IP-based Authentication as Disable.
- Click OK.
Alternatively, in the CLI console, enter the following commands:
config authentication rule
edit "Cert-Auth-Rule" #The authentication rule name
set srcintf "port1"
set srcaddr "fac"
set ip-based disable
set active-auth-method "test_scheme" #The authentication scheme
next
end
To configure authentication setting to use the CA that issued the client certificate as the user-cert-ca
:
- In the CLI console, enter the following commands:
config authentication setting
set user-cert-ca "FAC_Cloud" #The CA certificate being used for client certificate verification
end