FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
ahsanali_FTNT
Article Id 196769

Description

This article lists the steps necessary to request a User Certificate from Windows Certificate Services, export a Certificate & Key pair as PFX, and install the PFX on a remote workstation for use with FortiClient.


Scope

This article assumes that a Windows Certificate Services is already deployed in the network environment. Access to a domain member workstation is required as well as a domain user account.

These steps were tested on Windows 7, Windows XP and Windows Server 2008 R2.


Solution

1) Access Certificate Services from a Domain Member PC

Step 1: Log into a Domain Member PC, and start a Microsoft© Management Console session. Press Windows Key + R ; Type in "mmc.exe".

ahsanfclient_1.png

Step 2: Add the Certificates Snap-In; Go to File > Add/Remove Snap-In > Certificates > Add. This will generate another prompt. Select "My User Account". This will pull up the logged in User's Certificate stores.

ahsanfclient_2.png           ahsanfclient_3.png

2) Request a User Certificate

Step 1: Expand the Personal Folder, and right click on the Certificates Folder. Go to All Tasks > Request New Certificate.

ahsanfclient_4.png

Step 2:
Follow the Certificate Enrollment Wizard. Ensure your settings match the following screenshots.

ahsanfclient_5.png    ahsanfclient_6.png 

ahsanfclient_7.png   ahsanfclient_8.png

Step 3: Once the enrollment completes, the new Certificate should now appear under Personal > Certificates Folder. Ensure the Intended Purposes column lists Encryption and Authentication.
If either of these attributes are missing, then the User Enrollment policy needs to be modified on the Windows Certificate Authority Server. If everything matches, then you have successfully requested and obtained a User Certificate.

ahsanfclient_9.png
NOTE:
The key icon indicates that this certificate store has both the public key and private key for this Certificate.

3) Export the Certificate Key Pair

Step 1: Now that we have a User Certificate we can export the Certificate Key pair. This will allow us to deploy the User Certificate on a remote workstation to use with FortiClient.
From the same Microsoft© Management Console expand the Personal Folder, and right click on the Certificates Folder. Go to All Tasks > Export...

ahsanfclient_10.png

Step 2:
Follow the Certificate Export Wizard. Ensure your settings match the following screenshots.

ahsanfclient_11.png  ahsanfclient_12.png
ahsanfclient_13.png  ahsanfclient_14.png

Step 3: Complete the Certificate Export Wizard by selecting a destination to save the PFX file. Once the Wizard completes, you will have a PFX file that can be installed on any workstation.

ahsanfclient_15.png  ahsanfclient_16.png
NOTE: The key icon indicates that this PFX file has both the public key and private key. Even though this file is protected with a password, take care not to let this file fall into unauthorized hands.

3) Install the PFX file on a remote PC for use with FortiClient

Step 1: Find a secure method of transporting the PFX file to the local storage of the remote Workstation.

Step 2:
Double-click the PFX file. This will start the Certificate Import Wizard. Ensure your settings match the following screenshots.

ahsanfclient_20.png  ahsanfclient_18.png
ahsanfclient_19.png  ahsanfclient_20.png

Step 3:
Once the Certificate Import Wizard completes, you should see two Certificates in your Personal Certificate Folder. One will be the User Certificate, and the other will be the CA Certificate.
The CA Certificate belongs in the Trusted Root Certification Authorities Folder.

ahsanfclient_21.png   ahsanfclient_22.png

Step 4:
Verify that FortiClient recognizes this imported Certificate. Run FortiClient and configure any VPN to use Certificates. You should be able to select the imported Certificate.

ahsanfclient_23.png

Step 5:
Once you've verified that the Certificate is recognized by FortiClient, destroy all copies of the PFX file.

Contributors