How to implement VPN Certificate base authentication

We have a Fortigate VPN gateway and would like to implement "Certificate Based Authentication" for the VPN client. Our VPN gateway is located in the Internet DMZ. As I am new to VPN, should we use external or third party CA (e.g. VeriSign or Godaddy) or can I use an internal CA infrastructure ?

 If internal CA is use, should I put my CA server on the same subnet (i.e. Internet DMZ) or can I put my CA server on the Internal network ? But I am concerning how the external VPN client is able to contact the CA server if it is an internal server.

Any hints or suggestion would be highly appreciated.

Thanks & Regards
Patrick
patricktamAsked:
Who is Participating?
 
btanExec ConsultantCommented:
It can be self signed, from your existing CA or 3rd party CA. But to avoid prompt (invalid certificate message) in user browser, you’ll need to get a certificate signed by a CA for most browsers to accept your VPN page.

some considerations include
a) if using self signed, you likely get the prompt so import that in and I do encourage better to use existing CA if available for cahin of trust.

b) if you already have a wildcard certificate in use on others server, you can get it imported into the Fortigate.

c) if the clients computers are members of your domain where the controller has the Certificate Authority role installed, you can sign the certificate on your domain controller and re-import into the Fortigate.

d) if you will want user to be authenticated with the correct certificate installed in their browser before they can access the SSL VPN, you also need to create user certificates that will be imported into browsers. in this case, these certificates can be signed your domain controller with the Certificate Authority role installed. The corresponding CA certificate will be imported into the Fortigate so it can verify client certificates.

e.g. Generate a certificate request and import a signed certificate back into the Fortigate.

e.g . Importing a wildcard certificate into the Fortigate
0
 
Hassan BesherCommented:
you can use SSL VPN to authenticate using Certificate , and  you can select which certificate the FortiGate offers to authenticate itself. By default, the FortiGate unit offers its factory installed (self-signed) certificate from Fortinet to remote clients when they connect.

http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/SSLVPN_FortiGate_41.161.09.html
0
 
jmathonCommented:
You can also create your own Certificate on the Fortigate Unit (System -> Certificates)
But if you already have a PKI Infrastructure, you don't care where it will be based.
Just create your Certificate, and import it into the fortigate.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.