Generally they are very specific, and often for an internal enterprise network. Local certificates are issued for a specific server, or web site. FortiOS supports local, remote, CA, and CRL certificates. There are different types of certificates available that vary depending on their intended use.
See Authenticating IPsec VPN users with security certificates on page 126. The VPN gateway configuration can require certificate authentication before it permits an IPsec tunnel to be established. Unlike administrators or SSL VPN users, IPsec peers use HTTP to connect to the VPN gateway configured on the FortiGate unit. IPsec VPNs and certificatesĬertificate authentication is a more secure alternative to pre-shared key (shared secret) authentication for IPsec VPN peers. This ensures that each step along the path is valid and trustworthy.Ĭertificate Management Protocol version 2Ĭertificate Management Protocol version 2 (CMPv2) is an enrollment and revocation protocol for certificates. Server-based Certificate Validation Protocol (SCVP) is used to trace a certificate back to a valid root level certificate.
Server-based Certificate Validation Protocol Typically this involves generating a request you send directly to the SCEP service, instead of generating a file request that may or may not be signed locally. Simple Certificate Enrollment Protocol (SCEP) is an automated method of signing up for certificates. The authority responding can reply with a status of good, revoked, or unknown for the certificate in question. The OSCP check on the certificate’s revocation status is typically carried out over HTTP with a request-response format. However a CRL is a public list, and some companies may want to avoid the public exposure of their certificate structure even if it is only invalid certificates. Normally certificate revocation lists (CRLs) are used, but OCSP is an alternate method available. This is important to prevent hackers from changing the expiry date on an old certificate to a future date.
Online Certificate Status Protocol (OCSP) allows the verification of X.509 certificate expiration dates. These include the Online Certificate Status Protocol (OCSP), Simple Certificate Enrollment Protocol (SCEP), Server-based Certificate Validation Protocol (SCVP), and Certificate Management Protocol (CMP). There are multiple protocols that are required for handling certificates. You can then configure the FortiGate unit to identify itself using the server certificate instead of the self-signed certificate.įor more information, see the FortiOS Handbook SSL VPN guide.Īfter successful certificate authentication, communication between the client browser and the FortiGate unit is encrypted using SSL over the HTTPS link.
Optionally, you can install an X.509 server certificate issued by a certificate authority (CA) on the FortiGate unit.
This message is displayed because the FortiGate unit redirects the connection (away from the distinguished name recorded in the self-signed certificate) and can be ignored. Just before the FortiGate login page is displayed, a second message informs users that the FortiGate certificate distinguished name differs from the original request.If the user chooses to install the certificate, the prompt is not displayed again. When the user accepts the certificate, the FortiGate login page is displayed, and the credentials entered by the user are encrypted before they are sent to the FortiGate unit. If the user does not accept the certificate, the FortiGate unit refuses the connection. The first message prompts users to accept and optionally install the FortiGate unit’s self-signed security certificate.When the certificate is offered, the client browser displays two security messages. Optionally, the FortiGate unit can require the client to authenticate itself in return.īy default, the FortiGate unit uses a self-signed security certificate to authenticate itself to HTTPS clients. When a web browser connects to the FortiGate unit via HTTPS, a certificate is used to verify the FortiGate unit’s identity to the client. Certificates are an integral part of SSL. The secure HTTP (HTTPS) protocol uses SSL. There are a number of protocols that are commonly used with certificates including SSL and HTTPS, and other certificate-related protocols. L Certificates and protocols l IPsec VPNs and certificates l Certificate types on the FortiGate unit Certificates and protocols Certificate authentication is optional for IPsec VPN peers. Certificates play a major role in authentication of clients connecting to network services via HTTPS, both for administrators and SSL VPN users.