Certificate-based Web UI login

Different from username/password authentication, certificate-based authentication is the use of a Digital Certificate, which includes asymmetric cryptography, to identify a user before granting access to a resource. FortiWeb supports the certificate-based authentication for administrators' Web UI login. FortiWeb control an administrator's login by verifying his certificate if he connects to the Web UI through HTTPS. By default, the certificate-based authentication can coexist with original username/password authentication.

If you connect to the Web UI through HTTPS, FortiWeb first verifies the certificate you provided.
- If your certificate is valid, then your access to Web UI will be granted (the username/password login page will not be displayed).
- If you fail in the certificate authentication, you will be directed to the username/password login page.
If you connect to the Web UI through HTTP, FortiWeb will only verify your access by the username/password.

However, FortiWeb can also operate with only the certificate-based authentication, as long as the option (disabled by default) is enabled through Web UI or a CLI command:

Go to System > Admin > Settings, and have Enable HTTPS Certificate Login checked (see Global web UI & CLI settings),
or login to the CLI and perform command as follow:

config system global

set https-cert-login <enable/disable>

end

When the HTTPS Certificate Login (https-cert-login) is enabled, the certificate-based authentication is the only authentication method that FortiWeb uses to verify the Web UI accesses. The administrator's access to the Web UI must be in HTTPS and a correct certificate must be provided for the authorization. The original username/password authentication will be disabled (No username/password login page will be displayed). One who fails in the certificate authorization fails to login to FortiWeb's Web UI.

To apply certificate-based authentication to an administrator, here are the steps:

Upload the CA's certificate of the administrator's certificate
Create a PKI user (A PKI user contains a pair of the subject of the user's personal certificate and the corresponding CA certificate of the personal certificate)
Add the PKI user to an Admin group
Apply the Admin group to an administrator

To upload the CA's certificate of the administrator's certificate

1. Obtain a copy of your CA’s certificate file.

2. Go to System > Admin > Certificates and select the Admin Cert CA tab.

You can click View Certificate Detail to view the selected certificate’s subject, range of dates within which the certificate is valid, version number, serial number, and extensions.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

3. To upload a certificate, click Import.

A dialog appears.

4. To select a certificate, do one of the following:

Enable SCEP and in the field to the right of it, type the URL of the applicable Simple Certificate Enrollment Protocol server. (SCEP allows routers and other intermediary network devices to obtain certificates.)

To specify a specific CA, type an identifier in the field below the URL.
Enable Local PC and browse to find a certificate file.

5. Click OK.

To create a PKI user

1. Go to User > PKI User.

2. You can click Edit to edit the selected PKI user.

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Auth Users category. For details, see Permissions.

3. To create a PKI user, click Create New.

A dialog appears.

4. Complete the following settings:

Name	Enter the PKI user name for the administrator.
Subject	Enter the subject of the administrator's certificate, such as "`C = US, ST = Washington, O = yourorganization, CN = yourname`".
CA	Select the CA certificate of the administrator's certificate. All the certificates imported in System > Admin > Admin Cert CA will be listed here (see Upload the CA's certificate of the administrator's certificate).

5. Click OK.

To add the PKI user to an Admin group

1. Go to User > User Group > Admin Group (see Grouping remote authentication queries and certificates for administrators).

To access this part of the web UI, your administrator's account access profile must have Read and Writepermission to items in the Auth Users category. For details, see Permissions.

2. Click Create New.

A dialog appears.

3. In Name, type a name that can be referenced by other parts of the configuration, such as admin-remote-auth1. Do not use special characters. The maximum length is 35 characters.

4. Click OK.

The Create New button for this item, below its name, will no longer be greyed out, indicating that it has become available.

5. Click Create New.

A dialog appears that enables you to add PKI users to the group.

6. For User Type, select the PKI User type.

7. From Name, select the name of an existing PKI users that you created in User > PKI User > PKI User (see Create a PKI user).

8. Click OK.

To apply the Admin group to an administrator

Go to System > Admin > Administrators and apply the Admin group containing the PKI user to a corresponding administrator by selecting Remote User as the Type and selecting the group in Admin User Group (see Administrators).

Administrators have to install their certificates to their local browsers first. Every time you use the browser to connect to FortiWeb's Web UI through HTTPS, you will be required to select one of the certificates installed in the browser for authenticate yourself to FortiWeb. FortiWeb verifies the certificate you provided with the PKI users in Admin groups. If you are succeed in the authentication, you will be associated with the administrator account that the matched PKI user and Admin group are applied to, and the access profile will be applied to you (see Access Profile).

Open topic with navigation