Public Key Infrastructure – FortiAnalyzer – FortiOS 6.2.3

Public Key Infrastructure

Public Key Infrastructure (PKI) authentication uses X.509 certificate authentication library that takes a list of peers, peer groups, and user groups and returns authentication successful or denied notifications. Administrators only need a valid X.509 certificate for successful authentication; no username or password is necessary.

To use PKI authentication for an administrator, you must configure the authentication before you create the administrator accounts. You will also need the following certificates:

• an X.509 certificate for the FortiManager administrator (administrator certificate)
• an X.509 certificate from the Certificate Authority (CA) which has signed the administrator’s certificate (CA Certificate)

To get the CA certificate:

1. Log into your FortiAuthenticator.
2. Go to Certificate Management > Certificate Authorities > Local CAs.
3. Select the certificate and select Export in the toolbar to save the com CA certificate to your management computer. The saved CA certificate’s filename is ca_fortinet.com.crt.

To get the administrator certificate:

1. Log into your FortiAuthenticator.
2. Go to Certificate Management > End Entities > Users.
3. Select the certificate and select Export in the toolbar to save the administrator certificate to your management computer. The saved CA certificate’s filename is com.p12. This PCKS#12 file is password protected. You must enter a password on export.

To import the administrator certificate into your browser:

1. In Mozilla Firefox, go to Options > Advanced > Certificates > View Certificates > Import.
2. Select the file com.p12 and enter the password used in the previous step.

To import the CA certificate into the FortiAnalyzer:

1. Log into your FortiAnalyzer.
2. Go to System Settings > Certificates > CA Certificates.
3. Click Import, and browse for the com.crt file you saved to your management computer, or drag and drop the file onto the dialog box. The certificate is displayed as CA_Cert_1.

To create a new PKI administrator account:

1. Go to System Settings > Admin > Administrator.
2. Click Create New. The New Administrator dialog box opens.

See Creating administrators on page 224 for more information.

3. Select PKI for the Admin Type.
4. Enter a comment in the Subject field for the PKI administrator.
5. Select the CA certificate from the dropdown list in the CA
6. Click OK to create the new administrator account.