We have our enterprise Certification Authority. Offline Root CA then subordinate online CA running on Windows (ADCS - Active Directory Certificate Services) in our domain.

Our users are getting certificates from slighly modified "User" template (has Application Policies: Client Authentication) by auto enrollment, and have option for manual enroll (again slightly modified "User" template) with longer expiration.

On our FortiGate we have installed that Root CA plus subordinate CAs (we have two now - older SHA-1 then newer giving SHA 256 certificates). Then IPsec and SSL dialup VPNs - for both are required client certificate from our CA and user/password.

FortiClient 5.4.5 works fine, both IPsec VPN and SSL VPN.

FortiClient 5.6.6 have some troubles, such as forgetting password, choosen certificate, need to switch to IPsec VPN from SSL VPN and back to be able to select certificate and such, but somehow is able to work.

FortiClient 6.0.4 have problems especially with IPsec VPN. - details: IPsec VPN - first connect OK - on second connect I am able to choose options such as password save (as FortiClient now knows that it is allowed), I am checking Save Password and Always Up - then on next connects I am not able to select any client certificate (none is offered in connect dialog; in configuration there is, I can select and save, but then in connection none is chosen)

SSL VPN - it somehow works - but after each connect I need to choose certificate again, or even to able to choose certificate I need to switch to IPsec and then back to SSL VPN (or go to config, click save, and then it works again for one connection)