Fortinet black logo

Certificate management

Certificate management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec VPN.

The FortiAuthenticator unit has several roles that involve certificates:

Certificate authority

The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator.

The administrator can import other authorities' CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities for more information.

SCEP server A SCEP client can retrieve any of the local CA certificates (Local CAs), and can have its own user certificate signed by the FortiAuthenticator device's CA.
Remote LDAP authentication Acting as an LDAP client, FortiAuthenticator can authenticate users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate. See Trusted CAs for more information.
EAP authentication FortiAuthenticator can check that the client’s certificate is signed by one of the configured authorized CA certificates (see Certificate authorities). The client certificate must also match one of the user certificates (see End entities).

Any changes made to certificates generate log entries that can be viewed under Logging > Log Access > Logs. See Logging.

Certificate management

This section describes managing certificates with the FortiAuthenticator device.

FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPsec VPN.

The FortiAuthenticator unit has several roles that involve certificates:

Certificate authority

The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator.

The administrator can import other authorities' CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities for more information.

SCEP server A SCEP client can retrieve any of the local CA certificates (Local CAs), and can have its own user certificate signed by the FortiAuthenticator device's CA.
Remote LDAP authentication Acting as an LDAP client, FortiAuthenticator can authenticate users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate. See Trusted CAs for more information.
EAP authentication FortiAuthenticator can check that the client’s certificate is signed by one of the configured authorized CA certificates (see Certificate authorities). The client certificate must also match one of the user certificates (see End entities).

Any changes made to certificates generate log entries that can be viewed under Logging > Log Access > Logs. See Logging.