You must import the Active Directory (AD) certificate authority (CA) certificate into the FortiGate for the FortiGate to verify the chain of trust for the client certificate and the LDAPS connection.
- In the Certification Authority manager, right-click your domain, then select Properties.
- On the General tab, click View Certificate.
- On the Details tab, click Copy to File...
- Follow the wizard to save the file as a Base-64 encoded X.509 (.CER).
- In FortiOS, import the certificate:
- Go to System > Certificates.
- Click Create/Import > CA Certificate.
- For Type, select File.
- Click Upload.
- Select the previously saved CA certificate.
- Click OK.
- Once imported, run the following CLI commands to rename the certificate for easier recognition:
config vpn certificate ca
rename CA_Cert_1 to FortiAD.Info
- In System > Certificates, view the imported certificate under Remote CA Certificate.
Additionally, the root CA may have also issued a server certificate for the SSL VPN portal access. If so, you must import this server certificate on the FortiGate. In this example, a wildcard certificate for *.ztnademo.com was issued and installed on the FortiGate as the screenshot demonstrates.
Furthermore, you must install the CA certificate on the endpoint computer to verify the connection security with the SSL VPN gateway. You should install the CA certificate to Local Computer\Trusted Root Certification Authority\Certificates.