Technical Tip: How to create an OpenSSL certificate to authenticate PKI users on FortiGate with a Dial-up tunnel

Requirements:
- A CA certificate which signs user certificates.
- A Client Certificate signed by the CA.
- A Server Certificate sign by the CA.

This article will use the creation of a self-signed CA, a client certificate signed by the CA, and a server certificate signed by the CA using OpenSSL.

The following templates will be used to create the above in this example. Create 3 text files, add the template for each, and change the extension from .txt to .cnf.

CA Certificate Template (RootCA.cnf)

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

basicConstraints = critical, CA:TRUE, pathlen:3

keyUsage = critical, cRLSign, keyCertSign

nsCertType = sslCA, emailCA

subjectAltName = @alt_names

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or user's name)

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# extendedKeyUsage=serverAuth

subjectAltName = @alt_names

[ alt_names ]

DNS.1 = gbt.local

Client Certificate Template (Client.cnf)

[ req ]

default_bits       = 2048

distinguished_name = req_distinguished_name

req_extensions     = v3_req

x509_extensions = v3_req

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or user's name)

[ v3_req ]

subjectKeyIdentifier = hash

basicConstraints     = critical,CA:false

subjectAltName       = DNS:gbt.local,DNS:vpn.gbt.local

keyUsage             = critical,digitalSignature,keyEncipherment

extendedKeyUsage     = clientAuth

Server Certificate Template (Server.cnf)

[ req ]

default_bits       = 2048

distinguished_name = req_distinguished_name

req_extensions     = v3_req

x509_extensions = v3_req

[ req_distinguished_name ]

countryName                 = Country Name (2 letter code)

stateOrProvinceName         = State or Province Name (full name)

localityName               = Locality Name (eg, city)

organizationName           = Organization Name (eg, company)

commonName                 = Common Name (e.g. server FQDN or user's name)

[ v3_req ]

subjectKeyIdentifier = hash

basicConstraints     = critical,CA:false

subjectAltName       = DNS:gbt.local,DNS:vpn.gbt.local

keyUsage             = critical,digitalSignature,keyEncipherment

extendedKeyUsage     = serverAuth

Create the Certificates

First, install OpenSSL for windows.
Copy the templates previously created to the OpenSSL folder. Then, open the command line as an administrator and navigate to the OpenSSL folder.
For example: C:\Program Files\OpenSSL-Win64\bin

Create the CA certificate by running the following commands

# openssl.exe genrsa -aes256 -out ca.key 2048
[ENTER A PASSWORD]

# openssl.exe req -new -x509 -extensions v3_ca -days 3650 -key ca.key -sha256 -out ca.pem -config RootCA.cnf
[ENTER THE INFORMATION REQUESTED]

The ca.key file and a CA certificate named ca.pem should now be available:

Create the Client Certificate by running the following commands

# openssl.exe genrsa -out client.key 2048
openssl.exe req -new -key client.key -out client.csr -config client.cnf
openssl.exe x509 -req -in client.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out client.pem -days 1024 -sha256 -extfile client.cnf -extensions v3_req
openssl.exe pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.pem

The files below, and the client.pfx PKCS#12 bundle, should now be available:

Create the Server Certificate by running the following commands:

# openssl.exe genrsa -out server.key 2048
openssl.exe req -new -key ca.key -out server.csr -config server.cnf
openssl.exe x509 -req -in server.csr -CA ca.pem -CAkey ca.key -CAcreateserial -out server.pem -days 1024 -sha256 -extfile server.cnf -extensions v3_req
openssl.exe pkcs12 -export -out server.pfx -inkey ca.key -in server.pem -certfile ca.pem

The files below, and the server.pfx PKCS#12 bundle, should now be available:

Import the Server Certificate to the FortiGate

It's time to import the ca.key, ca.pem and server.pem files into FortiGate.

1) Navigate to System -> Certificate -> Create/Import
Select Import Certificate -> Select Type Certificate.
2) Upload server.pem.
3) Upload ca.key.
4) Enter the correct password and select Create.

The Server Certificate should now show under Local Certificate:

Import the CA Certificate to the FortiGate

Navigate to System -> Certificate -> Create/Import:

Repeat the steps above with ca.pem.

The CA Certificate should now show under Remote CA Certificate:

Import the Client Certificate and the CA to the Windows Client

Required files: Client.pfx, ca.pem.

Install the Client Certificate on the Client Windows system.
In the Wizard, select Store Location -> Local Machine -> Next
Import Client.pfx -> Next -> Enter the password previously created on OpenSSL -> Next -> Select Place all certificate in the Following store and Select Personnel -> Next -> Finish.

The Client Certificate should now be available under the Certificate Store:

Install the CA certificate

First, change the file extension of ca.pem to ca.cer. Open it and select Install Certificate -> Store Location -> Local Machine -> Next -> Select Place all certificate in the Following store -> Select Trusted Root Certification Authorities -> Next -> Finish.

The CA Certificate should now be avaialble under the Certificate Store Trusted Root:

Configure PKI users on the FortiGate

# config user peer

# edit User2

# set ca CA_Cert_1

# set cn Gabriel

# end

In this example, the desired outcome is for the FortiGate to look at the CN field in the certificate subject provided by the Client.

Assign PKI user to a group on the FortiGate

# config user peergrp

# edit pki_users

# set member User2

# end

Configure the Dial-up IPsec Tunnel

# config vpn ipsec phase1-interface

edit "Dialup"

set type dynamic

set interface "port1"

set ike-version 2

set local-gw 10.9.10.62

set authmethod signature

set peertype peergrp

set net-device enable

set mode-cfg enable

set proposal aes256-sha512

set dpd on-idle

set comments "VPN: Dialup (Created by VPN wizard)"

set dhgrp 14

set certificate "server.pem"

set peergrp "pki_users"

set ipv4-start-ip 10.10.10.10

set ipv4-end-ip 10.10.10.20

set dns-mode auto

set ipv4-split-include "Dialup_split"

set save-password enable

set dpd-retryinterval 60

next

end

In this example, the settings have been changed to assign the peertype, peergrp, certificate and authmethod to signature.

# set authmethod signature
set peertype peergrp
set certificate "server.pem"

set peergrp "pki_users"

Configure FortiClient

In the FortiClient, select Create a new VPN connection.
Fill in the required information.
Select X.509 Certificate as the Authentication method.
Select the Client Certificate.

Ensure that, under Advanced Settings, the Phase 1 and Phase 2 information match the information configured on the FortiGate.

Save the changes and try to connect using the client Certificate.

Troubleshooting steps

1) Debug on the FortiGate side to see if traffic is being received.
Open the CLI and run the following:

# diagnose debug application ike -1
# diagnose debug application fnbamd -1
# diagnose debug enable

2) Download the debug logs from the Forticlient
Navigate to Settings -> Logging -> Export Logs.

If the error message 'IKE phase1 authentication fail as peer’s certificate is not verified' occurs, ensure the CA certificate was installed under the Trusted Root Certification Authorities.

If the issue persists, contact Fortinet Support for more assistance.