Fortigate SSL VPN with certificates

Browsers need to trust the SSL VPN Website

You’re setting up your Fortigate to allow users to connect to the network via SSL VPN however when users access the SSL VPN page they are face with the invalid certificate message in their browser. You’ll need to get a certificate signed by a CA for most browsers to accept your VPN page. If you already have a wildcard certificate in use on others server you may want to follow these instructions to get it imported in the Fortigate. Alternatively if the clients computers are members of your domain where the controller has the Certificate Authority role installed you can sign the certificate on your domain controller and re-import into the Fortigate.

Instructions on generating a certificate request and re-importing into the Fortigate can be found here.

The Fortigate needs to trust the clients connecting to it.

Next step in getting your SSL VPN up and running is that you want an extra authentication step whereby users must have the correct certificate installed in their browser before they can access the SSL VPN. Here you’ll create user certificates that will be imported into browsers. These certificates can be signed using OpenSSL or your domain controller with the Certificate Authority role installed. The corresponding CA certificate will be imported into the Fortigate so it can verify client certificates.

Instructions can be found here.


Using OpenSSL to sign the SSL VPN server and client identity certificates

If you want to use OpenSSL to both sign the SSL VPN server certificate and the client identity certificates some intructions can be found here.

Leave a Reply