Fortinet black logo

Administration Guide

Computer/machine certificate

Computer/machine certificate

In this example, a group policy enables autoenrollment of computer certificates from each endpoint. The following is issued to WIN10-01. To see the certificate, open the Certificate Manager or Certificate Plug-in, and go to Local Computer\Personal\Certificates. Double-click the issued certificate and view the Details tab.

As the example shows, the Windows Active Directory (AD) issues a certificate with DNS Name=WIN10-01.fortiad.info in the subject alternative name (SAN) field. This matches the computer userPrincipalName on the AD:

Alternatively, you can try to issue a custom computer certificate with principal name in the SAN field, which matches the computer name field. Usually, the name field does not include the domain portion (fortiad.info in this example). Therefore, stripping the domain portion from the certificate principal name requires extra configuration on the FortiGate.

Computer/machine certificate

In this example, a group policy enables autoenrollment of computer certificates from each endpoint. The following is issued to WIN10-01. To see the certificate, open the Certificate Manager or Certificate Plug-in, and go to Local Computer\Personal\Certificates. Double-click the issued certificate and view the Details tab.

As the example shows, the Windows Active Directory (AD) issues a certificate with DNS Name=WIN10-01.fortiad.info in the subject alternative name (SAN) field. This matches the computer userPrincipalName on the AD:

Alternatively, you can try to issue a custom computer certificate with principal name in the SAN field, which matches the computer name field. Usually, the name field does not include the domain portion (fortiad.info in this example). Therefore, stripping the domain portion from the certificate principal name requires extra configuration on the FortiGate.