This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.
1. Generate the CA or root certificate (Certificate Authority)
You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).
1.1 Create the directories to hold the CA certificate.
sudo mkdir /etc/ssl/CA sudo mkdir /etc/ssl/newcerts
1.2 Create additional CA files
The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:
sudo sh -c "echo '01' > /etc/ssl/CA/serial" sudo touch /etc/ssl/CA/index.txt
1.3 Edit the config file – nano /etc/ssl/openssl.cnf
This specifies the file locations for OPENSSL.
dir = /etc/ssl # Where everything is kept database = $dir/CA/index.txt # database index file. certificate = $dir/certs/cacert.pem # The CA certificate serial = $dir/CA/serial # The current serial number private_key = $dir/private/cakey.pem# The private key
1.4 Generate Root Certificate
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.
Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) : Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) : Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.
1.5 Install the Root Certificate and Key
sudo mv cakey.pem /etc/ssl/private/ sudo mv cacert.pem /etc/ssl/certs/
2. Generate Server CSR (Certificate Signing Request) and Key
2.1 Generate Server Key
openssl genrsa -des3 -out server.key 2048
The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)
openssl rsa -in server.key -out server.key.insecure mv server.key server.key.secure mv server.key.insecure server.key
2.2 Generate Server CSR
Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates
openssl req -new -key server.key -out server.csr
3. Generate Client CSR (Certificate Signing Request) and key
Repeat step 2 – replacing the word server with client. You should have the following files.
root@dhcp-server:/home/david# ls client.csr client.key server.csr server.key
4. Sign both the Server and Client CSR’s
This will create the server and client certificate.
sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf sudo openssl ca -in client.csr -config /etc/ssl/openssl.cnf
You will now have both the .crt files
root@dhcp-server:/home/david# ls client.crt client.key server.crt server.key
5. Generate the .pfx file or pkcs12 Client certificate
This will be installed on the host where application is installed
openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile client.crt
You should now have the following files:
root@dhcp-server:/home/david# ls client.crt client.key client.pfx server.crt server.key
6. Copy the CA certificate back to your home directory
cp /etc/ssl/certs/cacert.pem /home/david/
You will now have all the files you need for certificate authentication.
root@dhcp-server:/home/david# ls cacert.pem client.crt client.key client.pfx server.crt server.key
7. Install the Client certificate on the users computer
Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.
8. Import CA Certificate to Fortigate
Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed
You will now see the certificate installed under Remote CA Certificates.
9. Import Server Certificate to Fortigate
You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).
You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.
PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.
10. Configure PKI user
10.1 You will need to specify a username, your CA certificate, and subject.
config user peer edit "yourusername" set ca "CA_Cert_1" set subject "C" next end
10.2 Obtaining the subject from the certificate
root@dhcp-server:/home/david# openssl x509 -noout -in client.crt -subject subject=C = UK, ST = Some-State, O = SecNetLinux, OU = Client, CN = Client
Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.
10.3 Add two factor authentication
11. Configure the SSL-VPN settings
You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.
config vpn ssl settings set reqclientcert enable set servercert "SSLSERVER" set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1" set source-interface "wan1" set source-address "all" set source-address6 "all" set default-portal "web-access" config authentication-rule edit 1 set groups "SSL_VPN" set portal "full-access" next end end
Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.
12. Configure Forticlient
You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.
13. Troubleshooting Commands on the Fortigate
diagnose debug console timestamp enable diagnose debug application fnbamd -1 diagnose debug application sslvpn -1 diagnose debug enable
Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.