Public Key Infrastructure – FortiAnalyzer – FortiOS 6.2.3

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

  • an X.509 certificate for the FortiManager administrator (administrator certificate)
  • an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)

To get the CA certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > Certificate Authorities > Local CAs.
  3. Select the certificate and select Export in the toolbar to save the com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.

To get the administrator certificate:

  1. Log into your FortiAuthenticator.
  2. Go to Certificate Management > End Entities > Users.
  3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is com.p12. This PCKS#12 file is password protected. You must enter a password on export.

To import the administrator certificate into your browser:

  1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
  2. Select the file com.p12 and enter the password used in the previous step.

To import the CA certificate into the FortiAnalyzer:

  1. Log into your FortiAnalyzer.
  2. Go to System Settings > Certificates > CA Certificates.
  3. Click Import, and browse for the com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.

To create a new PKI administrator account:

  1. Go to System Settings > Admin > Administrator.
  2. Click Create New. The New Administrator dialog box opens.

See Creating administrators on page 224 for more information.

  1. Select PKI for the Admin Type.
  2. Enter a comment in the Subject field for the PKI administrator.
  3. Select the CA certificate from the dropdown list in the CA
  4. Click OK to create the new administrator account.
This entry was posted in Administration Guides, FortiAnalyzer, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.