Public Key Infrastructure – FortiAnalyzer – FortiOS 6.2.3

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

  • an X.509 certificate for the FortiManager administrator (administrator certificate)
  • an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)

To get the CA certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > Certificate Authorities > Local CAs.
  3. Select the certificate and select Export in the toolbar to save the com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.

To get the administrator certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > End Entities > Users.
  3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is com.p12. This PCKS#12 file is password protected. You must enter a password on export.

To import the administrator certificate into your browser:

  1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
  2. Select the file com.p12 and enter the password used in the previous step.

To import the CA certificate into the FortiAnalyzer:

  1. Log into your FortiAnalyzer.
  2. Go to System Settings > Certificates > CA Certificates.
  3. Click Import, and browse for the com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.

To create a new PKI administrator account:

  1. Go to System Settings > Admin > Administrator.
  2. Click Create New. The New Administrator dialog box opens.

See Creating administrators on page 224 for more information.

  1. Select PKI for the Admin Type.
  2. Enter a comment in the Subject field for the PKI administrator.
  3. Select the CA certificate from the dropdown list in the CA
  4. Click OK to create the new administrator account.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos

Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos