Certificate Management
This section describes managing certificates with the FortiAuthenticator device.
FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN.
The FortiAuthenticator unit has several roles that involve certificates:
| Certificate authority | The administrator generates CA certificates that can validate the user certificates generated on this FortiAuthenticator unit. The administrator can import other authorities' CA certificates and Certificate Revocation Lists (CRLs), as well as generate, sign, and revoke user certificates. See End entities for more information. |
| SCEP server | A SCEP client can retrieve any of the local CA certificates (Local CAs), and can have its own user certificate signed by the FortiAuthenticator unit CA. |
| Remote LDAP Authentication | Acting as an LDAP client, the FortiAuthenticator unit authenticates users against an external LDAP server. It verifies the identity of the external LDAP server by using a trusted CA certificate, see Trusted CAs. |
| EAP Authentication | The FortiAuthenticator unit checks that the client’s certificate is signed by one of the configured authorized CA certificates, see Certificate authorities. The client certificate must also match one of the user certificates, see End entities. |
Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See Logging.
This chapter includes the following sections:
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
