Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.
To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. To do this you need to:
l configure a PKI user create a PKI user group configure an administrator to authenticate with a PKI certificate. To use PKI certificate authentication, you will need the following certificates:
l an X.509 certificate for the FortiManager administrator (administrator certificate)
l an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)
For information on configuring a PKI server for remote administrator authentication, see Remote authentication server.
To get the CA certificate:
1. Log into your FortiAuthenticator.
2. Go to Certificate Management > Certificate Authorities > Local CAs.
3. Select the certificate and select Export in the toolbar to save the ca_fortinet.com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.
To get the administrator certificate:
1. Log into your FortiAuthenticator.
2. Go to Certificate Management > End Entities > Users.
3. Select the certificate and select Export in the toolbar to save the adminstrator certificate to your management computer. The saved CA certificate’s filename is admin_fortinet.com.p12. This PCKS#12 file is password protected. You must enter a password on export.
To import the administrator certificate into your browser:
1. In Mozilla Firefox, go to Edit > Preferences > Advanced > Encryptions > View Certificates > Import.
2. Select the file admin_fortinet.com.p12 and enter the password used in the previous step.
To import the CA certificate into the FortiManager:
1. Log into your FortiManager.
2. Go to System Settings > Certificates > CA Certificates.
3. Select Import in the toolbar and browse for the ca_fortinet.com.crt file that you saved to your management computer. The certificate is displayed as CA_Cert_1.
To create a new PKI administrator account:
1. Go to System Settings > Admin > Administrator and select Create New in the toolbar. The New Administrator dialog box opens.
2. Configure the following settings:
User Name Type the name that this administrator uses to log in. This field is available if you are creating a new administrator account.
Description Optionally, type a description of this administrator’s role, location or reason for their account. This field adds an easy reference for the administrator account.
(Character limit = 127)
Type Select PKI from the drop-down list.
Subject Type a comment in the subject field for the PKI administrator.
CA Select the CA certificate (CA_Cert_1) from the drop-down menu.
Require two-factor authentication Select to enable two-factor authentication.
New Password Type the password.
Admin Profile Select a profile from the drop-down menu. The profile selected determines the administrator’s permission to the FortiManager unit’s features. To create a new profile, see Configuring administrator profiles.
Administrative Domain Choose the ADOMs this administrator will be able to access, or select All
ADOMs. Select Specify and then select the add icon to add Administrative Domains. Select the remove icon to remove an administrative domain from this list.
This field is available only if ADOMs are enabled. When the Admin Profile is a restricted administrator profile, you can only select one administrative domain. Best practice: Restrict administrator access only to the specific ADOMs that they are responsible for.
Policy Package Access Choose the policy packages this administrator will have access to, or select All Package. Select Specify and then select the Add icon to add policy packages.
Select the remove icon to remove a policy package from this list.
This field is not available when the Admin Profile is a restricted administrator profile.
Best practice: Restrict administrator access only to the specific policy packages that they are responsible for.
Trusted Host Optionally, type the trusted host IPv4 or IPv6 address and netmask from which the administrator can log in to the FortiManager unit. Select the Add icon to add trusted hosts. You can specify up to ten trusted hosts. Select the delete icon to remove a policy package from this list.
Setting trusted hosts for all of your administrators can enhance the security of your system. For more information, see Using trusted hosts.
Best practice: Restrict administrator access by trusted hosts to help prevent unwanted access.
User Information (optional)
Contact Email Type a contact email address for the new administrator.
Contact Phone Type a contact phone number for the new administrator.