Certificate-based authentication
This section provides an overview of how the FortiGate unit verifies the identities of administrators, SSL VPN users, or IPsec VPN peers using X.509 security certificates.
The following topics are included in this section:
What is a security certificate?
- Certificates overview
- Managing X.509 certificates
- Configuring certificate-based authentication
- Support for per-VDOM certificates
- Certificate-based authentication
- Example — Generate and Import CA certificate with private key pair on OpenSSL
- Example — Generate an SSL certificate in OpenSSL
What is a security certificate?
A security certificate is a small text file that is part of a third-party generated public key infrastructure (PKI) to help guarantee the identity of both the user logging on and the web site they where they are logging in.
A certificate includes identifying information such as the company and location information for the web site, as well as the third-party company name, the expiry date of the certificate, and the public key.
FortiGate units use X.509 certificates to authenticate single sign-on (SSO) for users. The X.509 standard has been in use since before 2000, but has gained popularity with the Internet’s increased popularity. X.509 v3 is defined in RFC 5280 and specifies standard formats for public key certificates, certificate revocation lists, and a certification path validation algorithm. The unused earlier X.509 version 1 was defined in RFC 1422.
The main difference between X.509 and PGP certificates is that where in PGP anyone can sign a certificate, for X.509 only a trusted authority can sign certificates. This limits the source of certificates to well known and trustworthy sources. Where PGP is well suited for one-to-one communications, the X.509 infrastructure is intended to be used in many different situations including one-to-many communications. Some common filename extensions for X.509 certificates are listed below.
Certificates overview Common certificate filename extensions
Filetype | Format name | Description |
.pem | Privacy Enhanced Mail (PEM) | Base64 encoded DER certificate, that uses:
“—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” |
.cer
.crt .der |
Security CERtificate | Usually binary DER form, but Base64-encoded certificates are common too. |
.p7b
.p7c |
Structure without data, just certificates or CRLs.
PKCS#7 is a standard for signing or encrypting (officially called “enveloping”) data. |
|
.p12 | PKCS#12 | May contain certificate(s) (public) and private keys (password protected). |
.pfx | personal information exchange (PFX) | Older format. Came before PKCS#12. Usually today data is in PKCS#12 format. |