How do you find/match the subject of a PKI user? -- SSL VPN with Certificate configuration

kubiklefree · ‎04-01-2016

Hello,

I am having an issue finding and then matching the "subject" of the user certificate for the users I created in this walk-through. From the directions, I get the feeling they expect you to know this, which I don't. Hopefully this makes sense and someone can help me out.

Currently, I am unable to connect to my VPN and feel this might be the issue.

Thank you for your help!

Jeff_FTNT · ‎04-01-2016

Try to enable debug CLI: dia debug app fnbam -1, it will show up PKI user/Certificate match.

FGT will check certificate send from browser with PKI user match, in this case, "Set subject User01". The certificate import to your browser (IE/Firefox) should have Subject like "C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = User01, emailAddress = support@fortinet.com".

Thanks.

kubiklefree · ‎04-04-2016

Thank you for the tip. I typed in the command, but there was no output. I might not completely understand what you are asking me to do. Am I suppose to look somewhere else for the output?

Jeff_FTNT · ‎04-04-2016

add CLI: dia debug enable, if you want see debug on "CLI console". You may use small box without Console. Thanks.

vinisantos_FTNT · ‎05-04-2018

I know this in an older post but I thought it'd be good trying to provide further clarification. As mentioned by Jeff, you are able to see the contents of the certificate you're using by opening it in a Windows machine for example.

Open your certificate, go to the tab "Details" and look for the field "Subject". What you're looking for - and what should match in your FortiGate's configuration - is whatever is after "CN" or CommonName, and only that.

In my case, the subject field for my PKI user is "vinisantos".