PKI or peer users
A PKI, or peer user, is a digital certificate holder. A PKI user account on the FortiGate unit contains the information required to determine which CA certificate to use to validate the user’s certificate. Peer users can be included in firewall user groups or peer certificate groups used in IPsec VPNs. For more on certificates, see Certificates overview on page 108.
To define a peer user you need:
- a peer username
- the text from the subject field of the user’s certificate, or the name of the CA certificate used to validate the user’s certificate
Creating a peer user
The peer user can be configured only in the CLI.
To create a peer user for PKI authentication – CLI example:
config user peer edit peer1 set subject peer1@mail.example.com
set ca CA_Cert_1
end
There are other configuration settings that can be added or modified for PKI authentication. For example, you can configure the use of an LDAP server to check access rights for client certificates. For information about the detailed PKI configuration settings, see the FortiGate CLI Reference.
Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
Thank you