Fortinet black logo

Cookbook

Home FortiAuthenticator 6.2.0 Cookbook

Configure the certificates and Root CA

6.2.0
6.5.0
6.4.0
6.3.0
6.2.0
6.1.0
6.0.0
5.5.0
Copy Link
Copy Doc ID 502fabff-dbf1-11ea-96b9-00505692583a:598406
Download PDF

Configure the certificates and Root CA

With Microsoft Active Directory as the Root CA, use Group Policy Management to deploy client certificates to domain computers. This is the certificate that will be used to validate RADIUS requests.

To create a computer client certificate:
  1. In Active Directory > Group Policy Management, create a new Group Policy Object (GPO) with settings configured for auto-enrollment.
  2. Link the GPO to the OU where the client computers are located.
    The computer account in Active Directory must use the attribute dNSHostName with the value of the computer's name. This attribute is used later on FortiAuthenticator when creating the user remote sync rule.
To import the Microsoft AD Root CA as a trusted CA:
  1. On the FortiGate, go to System > Certificates, and click Import > CA Certificate. Configure the following settings, and click OK when complete.
    1. Type: File.
    2. Upload: Click Upload and browse to the location of your certificate.
  2. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import. Configure the following settings, and click OK when complete.
    1. Certificate ID: Enter the certificate ID.
    2. Certificate: Click Upload a file and browse to the location of your certificate.

Once the Root CA is configured, you can issue certificates from AD to both the FortiGate and the FortiAuthenticator.

Previous
Next

Configure the certificates and Root CA

With Microsoft Active Directory as the Root CA, use Group Policy Management to deploy client certificates to domain computers. This is the certificate that will be used to validate RADIUS requests.

To create a computer client certificate:
  1. In Active Directory > Group Policy Management, create a new Group Policy Object (GPO) with settings configured for auto-enrollment.
  2. Link the GPO to the OU where the client computers are located.
    The computer account in Active Directory must use the attribute dNSHostName with the value of the computer's name. This attribute is used later on FortiAuthenticator when creating the user remote sync rule.
To import the Microsoft AD Root CA as a trusted CA:
  1. On the FortiGate, go to System > Certificates, and click Import > CA Certificate. Configure the following settings, and click OK when complete.
    1. Type: File.
    2. Upload: Click Upload and browse to the location of your certificate.
  2. On the FortiAuthenticator, go to Certificate Management > Certificate Authorities > Trusted CAs, and click Import. Configure the following settings, and click OK when complete.
    1. Certificate ID: Enter the certificate ID.
    2. Certificate: Click Upload a file and browse to the location of your certificate.

Once the Root CA is configured, you can issue certificates from AD to both the FortiGate and the FortiAuthenticator.

Previous
Next