Description
This article explains why PKI peer user creation for certificate authentication is needed.
In some cases, when SSL VPN or IPSec VPN is configured with certificate authentication, it may fail even when a proper user certificate is used at the client end while connecting.
Scope
FortiGate.
Solution
This issue might occur if the PKI user created for SSL VPN or IPSec VPN is not matching the incoming user certificate from client end.
The only parameter which FortiGate verifies, to match a user certificate with a PKI user created on FortiGate, is the ‘subject’ name.
This subject name must be the one mentioned on user certificate’s subject (CN = name).
If CN name mentioned on client certificate and PKI user entry on FortiGate mismatches, then Certificate authentication will fail.
To create PKI users, use below CLI commands.
config user peer
edit pki01
set ca CA_Cert_1
set subject "CN = name" <----- Replace 'name' with the name in the CN field.
end
In the above PKI user entry, ‘User01’ is the subject (CN = name) on the user certificate and ‘CA_Cert_1‘ is the CA certificate name.
Related articles:
Technical Note: Using Certificates to authenticate users in SSL VPN
Technical Note: How to configure IPsec dialup VPN with certificate based authentication
