How to configure a SSL-VPN with certificate authentication on a Fortigate.

This is a detailed guide on how to configure a SSL VPN with certificate authentication on a Fortigate. We will be using OPENSSL to generate the CA and certificates.

1. Generate the CA or root certificate (Certificate Authority)

You will need to generate a root certificate to sign the Server and Client certificate. You will need to install the CA and Server Certificate on the Fortigate and the Client PKCS#12 certificate on the end user computer where the Forticlient VPN application is installed. This will create a chain of trust called public key infrastructure (PKI).

1.1 Create the directories to hold the CA certificate.

sudo mkdir /etc/ssl/CA
sudo mkdir /etc/ssl/newcerts

1.2 Create additional CA files

The CA needs a few additional files to operate, one to keep track of the last serial number used by the CA, and another file to record which certificates have been issued:

sudo sh -c "echo '01' > /etc/ssl/CA/serial"
sudo touch /etc/ssl/CA/index.txt

1.3 Edit the config file – nano /etc/ssl/openssl.cnf

This specifies the file locations for OPENSSL.

nano /etc/ssl/openssl.cnf
dir             = /etc/ssl              # Where everything is kept
database        = $dir/CA/index.txt     # database index file.
certificate     = $dir/certs/cacert.pem # The CA certificate
serial          = $dir/CA/serial        # The current serial number
private_key     = $dir/private/cakey.pem# The private key

1.4 Generate Root Certificate

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Please note that your Organization Name (O) needs to match on all your certificates that will be forming the chain of trust.

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

You will need to ensure that your organization unit name (OU) is unique on each certificate in terms of the above. Steps 2 and 3 cover the Certificate Signing Request of both Server and Client where you will need to take into account these values.

1.5 Install the Root Certificate and Key

sudo mv cakey.pem /etc/ssl/private/
sudo mv cacert.pem /etc/ssl/certs/

2. Generate Server CSR (Certificate Signing Request) and Key

2.1 Generate Server Key

openssl genrsa -des3 -out server.key 2048

The next set of commands is so that you don’t have to enter a passphrase to generate the CSR (Certificate Signing Request)

openssl rsa -in server.key -out server.key.insecure
mv server.key
mv server.key.insecure server.key

2.2 Generate Server CSR

Please note the following need to be accurate for it to work – the organization (o) need to match on all 3 certificates

openssl req -new -key server.key -out server.csr

3. Generate Client CSR (Certificate Signing Request) and key

Repeat step 2 – replacing the word server with client. You should have the following files.

root@dhcp-server:/home/david# ls
client.csr  client.key server.csr  server.key

4. Sign both the Server and Client CSR’s

This will create the server and client certificate.

sudo openssl ca -in server.csr -config /etc/ssl/openssl.cnf
sudo openssl ca -in client.csr -config /etc/ssl/openssl.cnf

You will now have both the .crt files

root@dhcp-server:/home/david# ls
client.crt  client.key  server.crt  server.key

5. Generate the .pfx file or pkcs12 Client certificate

This will be installed on the host where application is installed

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.crt -certfile client.crt

You should now have the following files:

root@dhcp-server:/home/david# ls
client.crt  client.key  client.pfx  server.crt  server.key

6. Copy the CA certificate back to your home directory

cp /etc/ssl/certs/cacert.pem /home/david/

You will now have all the files you need for certificate authentication.

root@dhcp-server:/home/david# ls
cacert.pem  client.crt  client.key  client.pfx  server.crt  server.key

7. Install the Client certificate on the users computer

Copy the client.pfx to the users computer and double click the file. Using the Windows certificate wizard install the certificate to the personal certificate store.

8. Import CA Certificate to Fortigate

Import the cacert.pem file to your Fortigate. Under System/Certificates – Click Import and then CA Certificate. Then you will need to Click File and then the Upload button. You will now see the certificate installed

You will now see the certificate installed under Remote CA Certificates.

9. Import Server Certificate to Fortigate

You will need both server.crt and server.key for this. Again click Import and then time click local certificate. Upload the server and key file to the Fortigate as per below. Alternately you could generate the PKCS#12 or .pfx file (as was done withe client certificate).

You will now see the certificate on the Fortigate under local certificates. Please refer to the picture in step 8.

PLEASE NOTE: The following steps will assume that you have a working SSL VPN configuration and will not go through in detail the workings of a SSL-VPN setup.

10. Configure PKI user

10.1 You will need to specify a username, your CA certificate, and subject.

config user peer
    edit "yourusername"
        set ca "CA_Cert_1"
        set subject "C"

10.2 Obtaining the subject from the certificate

root@dhcp-server:/home/david# openssl x509 -noout -in client.crt -subject
subject=C = UK, ST = Some-State, O = SecNetLinux, OU = Client, CN = Client

Once this has been completed you will see the PKI option on the GUI and can then put the PKI users that you have created into the corresponding SSLVPN groups.

10.3 Add two factor authentication

11. Configure the SSL-VPN settings

You will set the server certificate which you uploaded earlier ( set servercert “SSLSERVER” ) and also set the reqclientcert to enable. I have also set the default-portal to web-access although we will be using Forticlient.

config vpn ssl settings
    set reqclientcert enable
    set servercert "SSLSERVER"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "wan1"
    set source-address "all"
    set source-address6 "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "SSL_VPN"
            set portal "full-access"

Again I have not gone through too much detail regarding the SSL-VPN setup. You will need make sure you have your firewall policies, portal mappings etc in place for this to work. This guide assumes you have a working SSL-VPN configuration in place and that you are adding additional authentication.

12. Configure Forticlient

You will see once you have successfully installed the Client certificate as per step 7 it will populate the drop down next to Client Certificate.

13. Troubleshooting Commands on the Fortigate

diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug application sslvpn -1
diagnose debug enable

Please let me know what you thought of the guide and if it worked, what issues you ran into or if anything wasn’t clear. Thank you for reading.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s