Fortinet black logo

Administration Guide

Device self-enrollment

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It can be used to enable EAP-TLS for BYOD configurations, or for VPN authentication. For example:

  • A user brings their tablet to a BYOD organization.
  • They log in to FortiAuthenticator and create a certificate for the device.
  • With their certificate, username, and password they can authenticate to gain access to the wireless network.
  • Without the certificate, they are unable to access the network.
EAP-TLS is a bidirectional certificate authentication method; the client and the FortiAuthenticator EAP need to have matching certificates from the same CA.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable user device certificate self-enrollment.

SCEP must be enabled to activate this feature, see SCEP.

The following settings can be configured:

SCEP enrollment template Select a SCEP enrollment template from the dropdown menu. SCEP can be configured in Certificate Management > SCEP.
Maximum devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).
Note that iOS devices only support 1024 and 2048.
Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.
This requires that a Device FQDN be configured (in the System Information widget under System > Dashboard > Status), as it is used in the CRL Distribution Points (CDPs) certificate extension.

Select OK to apply any changes you have made.

Device self-enrollment

Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It can be used to enable EAP-TLS for BYOD configurations, or for VPN authentication. For example:

  • A user brings their tablet to a BYOD organization.
  • They log in to FortiAuthenticator and create a certificate for the device.
  • With their certificate, username, and password they can authenticate to gain access to the wireless network.
  • Without the certificate, they are unable to access the network.
EAP-TLS is a bidirectional certificate authentication method; the client and the FortiAuthenticator EAP need to have matching certificates from the same CA.

To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal > Device Self-enrollment and select Enable user device certificate self-enrollment.

SCEP must be enabled to activate this feature, see SCEP.

The following settings can be configured:

SCEP enrollment template Select a SCEP enrollment template from the dropdown menu. SCEP can be configured in Certificate Management > SCEP.
Maximum devices Set the maximum number of devices that a user can self-enroll.
Key size Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).
Note that iOS devices only support 1024 and 2048.
Enable self-enrollment for Smart Card certificate Select to enable self-enrollment for smart card certificates.
This requires that a Device FQDN be configured (in the System Information widget under System > Dashboard > Status), as it is used in the CRL Distribution Points (CDPs) certificate extension.

Select OK to apply any changes you have made.