PKI or peer users

A PKI, or peer user, is a digital certificate holder. A PKI user account on the FortiGate unit contains the information required to determine which CA certificate to use to validate the user’s certificate. Peer users can be included in firewall user groups or peer certificate groups used in IPsec VPNs. For more on certificates, see Certificates overview on page 108.

To define a peer user you need:

• a peer username
• the text from the subject field of the user’s certificate, or the name of the CA certificate used to validate the user’s certificate

Creating a peer user

The peer user can be configured only in the CLI.

To create a peer user for PKI authentication – CLI example:

config user peer edit peer1 set subject peer1@mail.example.com

set ca CA_Cert_1

end

There are other configuration settings that can be added or modified for PKI authentication. For example, you can configure the use of an LDAP server to check access rights for client certificates. For information about the detailed PKI configuration settings, see the FortiGate CLI Reference.