Helpful ReplyHot!(Computer) client certificate validation

Page: 12 > Showing page 1 of 2
Author
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
2020/04/02 05:24:13 (permalink) 6.0
0

(Computer) client certificate validation

Hi,
 
I have a working SSLVPN solution where I use client validation to check for a computer certificate from our internal PKI on the client. Domain computers get a certificate using autoenrollment policies and the root certificate is stored on the Fortigate. By enabling users to select the computer certificate in FortiClient during login, they can select the right certificate, which can be validated by Fortigate. So far so good...
 
The problem is, any certificate/key pair on the client, with a matching root on the Fortigate passes certificate validation. Since we use Lets Encrypt certificates, I uploaded the root of LE onto the Fortigate. If I install any valid LE certificate on the client, this certificate is also accepted.
 
Fortigate accepts any valid certificate for which it has a root certificate installed.
 
Is there a way to limit validation to specific root certificate(s)? Or perhaps check on specific certificate details?
 
 
Using only Fortigate, no other Fortinet products.
User authentication is done entirely on a remote Radius server, so no local/ldap/radius users defined.
FortiOS 6.0.5, FortiClient 6.0.8
 
Thx,
Michel
post edited by Magion - 2020/04/06 08:43:54
#1
boneyard
Gold Member
  • Total Posts : 390
  • Scores: 16
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Client certificate validation 2020/04/05 08:16:37 (permalink)
0
I don't believe this will be an issue. Most public CAs don't sell client certificates, so there is no issue there.
#2
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/05 23:52:30 (permalink)
0
It is, and yes they do.
 
I use the client certificate check to make sure only company owned machines can connect to the vpn. For that I need to be sure only specific certificates (from our own private pki) are accepted. FGT however seems to allow any valid certificate. If I install a LE certificate, I can use it to pass client certificate check. Which means I cannot depend on this test anymore, unless I can specify a root ca.
 
As for client certificates, I think most major CA's sell them. But even regular 'web' certificates can be used as client certificate. I have checked my old certificates, and so far ALL server certificates contained both server authentication and client authentication EKU's.
 
 
#3
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/15 00:51:32 (permalink)
0
Well, unfortunately Fortinet support could not help as well. They keep telling me to create peer users... But since I use an external radius server for authentication, no users management is done on the firewall.
 
I created a firewall group and added the radius server as remote group. Now, if I add a peer user with a root ca defined, would it then 'combine' the 2. So use authentication from the remote group radius and use the root ca for the certificate check?
 
(Can I change this with out having all vpn sessions killed? Some changes to vpn or certificate settings usually end all vpn sessions )
 
I was hoping for something easy like:
 
config vpn ssl settings
set reqclientcert enable
set ca 'my root ca'
end
 
 
post edited by Magion - 2020/04/16 06:14:10
#4
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/15 01:38:47 (permalink) ☄ Helpfulby Kojot_ 2020/04/16 06:10:26
0
Just got word from support again. The gave me this link: https://kb.fortinet.com/kb/documentLink.do?externalID=FD47120.
 
Although I find the example config a bit confusing, it seems like what I want to accomplish might be possible... but only from FortiOS 6.2.2+. We are still on 6.0.5.
 
#5
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/16 03:36:11 (permalink)
0
Apparently there is an internal open issue with 6.0 where any valid certificate is allowed for client certificates. So support recommends to upgrade. Figures
#6
Kojot_
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Client certificate validation 2020/04/16 06:20:26 (permalink)
0
I asked same question about "Lets Encrypt" certificate on today training NSE4 SSL. Trainer said, that`s impossible to login with lets encrypt certificate.
I will try solution from this kb
#7
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Client certificate validation 2020/04/16 08:16:04 (permalink)
0
Did they give a bug number?  There was a similar issue with 5.6 FortiGates just accepting the certs based on their root ca instead of actually checking the details.
#8
boneyard
Gold Member
  • Total Posts : 390
  • Scores: 16
  • Reward points: 0
  • Joined: 2014/07/30 11:15:18
  • Status: offline
Re: Client certificate validation 2020/04/16 10:09:31 (permalink)
0
for Kojot_ and Magion can you show me a public certificate with which you can login?
 
i was told that a setup like that would work for 6.0, but im afraid that there wasn't tested with client certs form other CAs.
#9
emnoc
Expert Member
  • Total Posts : 6097
  • Scores: 414
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Client certificate validation 2020/04/16 12:37:32 (permalink)
0
OP can you post your config and th "config user peer" ? You should be able to set the expected peer-id and the rootCA for the peer. And only those users that has  the CA would be authenticated. 
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#10
Kojot_
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Client certificate validation 2020/04/16 13:02:21 (permalink)
0
I now understand that I do not "config user peer" but only selected "require user certificate"
I think I need to do like in this article https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/751987/ssl-vpn-with-ldap-integrated-certificate-authentication  but change according to kb
# config user peer
   edit user1   
      set ca "CA_1"
      set subject "OU = your_org"
   next
end
and now any certificate of my CA with "OU = your_org" will be accepted.
post edited by Kojot_ - 2020/04/16 13:05:27
#11
Kojot_
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: Client certificate validation 2020/04/17 00:06:52 (permalink)
0
I configured this. It is works when unchecked "Limit Users to One SSL-VPN Connection at a Time", because all users now are "certificate cn"(all users use one certificate) . And in VPN-Events all users same.
Revert all back.
 
like Magion said:
"I was hoping for something easy like:
 config vpn ssl settings
set reqclientcert enable
set ca 'my root ca'
end
"
 
#12
emnoc
Expert Member
  • Total Posts : 6097
  • Scores: 414
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: online
Re: Client certificate validation 2020/04/17 01:36:46 (permalink)
0
Yes play around with the config user peer. You can set the string or "cn"  and even do a peergroup if you so desire.
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#13
Agent 1994
Silver Member
  • Total Posts : 81
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/08/03 09:15:51
  • Location: Rosario, Santa Fe, Argentina
  • Status: offline
Re: (Computer) client certificate validation 2020/04/17 05:20:04 (permalink)
0
Magion,
 
 I had a similar problem days ago, but with an internal CA. I wanted to use computer certificates but not user certificates. 
 First, the user have to be administrator or at least have permissions to access the computer certificate private key. If not, the certificate will be available in FortiClient but wont work.
 Second, in user->pki I used subject filterning to match part of the FQDN. I.E.: my lab environment had hydra.local as the domain, so the subject filter was ".hydra.local" (note the dot at the start, it will match computer.hydra.local but not user@hydra.local).
 That being said: if your certificates have something in common -or could have-, you can use subject filtering. 
 
Max
#14
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/18 14:41:06 (permalink)
0
tanr
Did they give a bug number?  There was a similar issue with 5.6 FortiGates just accepting the certs based on their root ca instead of actually checking the details.

 
From support:
 
Unfortunately, there is an internal ticket 574949, which is a security concern that once you enable require client certificate, you will allow all users signed by certificates that are trusted by the FortiGate

#15
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/18 14:53:01 (permalink)
0
Lot's of posts (but did not get any notifications ). Will read them more closely on Monday, some of it looked very interesting.
 
Just like to mention that I do not use local users. All authentication is done remotely on a radius server, and all I did was add the radius server as a remote group to a local firewall group.
 
If I understand support and the article I linked to correctly, it's possible to 'attach' a root certificate to all remote radius users by creating 1 peer user and add this to the firewall group next to the remote group.
 
But, since I only have a live production FortiGate top work with, I need to be careful of any tests I like to do. Especially now, since everybody is working from home and depend on the VPN (which by the way has been very stable so far)
 
Michel
 
#16
tanr
Platinum Member
  • Total Posts : 804
  • Scores: 36
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Client certificate validation 2020/04/19 10:32:54 (permalink)
0
Magion, did TAC specify if 574949 was fixed in any later versions?
 
It sounds like they managed to "unfix" the old bug I was referring to, 412987.
 
When a serious bug like this or that is fixed, standard practice is to add a simple regression test to make sure it doesn't happen again.  It sounds like that wasn't done.
#17
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/20 08:13:54 (permalink)
0
emnocOP can you post your config and th "config user peer" ?

 
No, because I don't have any users defined on the firewall. No regular, no peer. So I can't show you anything
Just as Kojot, I only have "require user certificate" set.
 
mkolusFirst, the user have to be administrator or at least have permissions to access the computer certificate private key. If not, the certificate will be available in FortiClient but wont work.

 
This is what I found: https://kb.fortinet.com/k....do?externalID=FD47826
I did not change anything for #1. ACL is set to only system and administrators to access the private key. I have allow_standard_user_use_system_cert set in the client config according to #3.
 
Then at #2 it says that if the certificate is visible in the selection box (which it is), all should be well...
 
 
post edited by Magion - 2020/04/20 08:21:02
#18
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: Client certificate validation 2020/04/20 08:16:31 (permalink)
0
tanrMagion, did TAC specify if 574949 was fixed in any later versions?



No, and I did not ask about it.
#19
Magion
Bronze Member
  • Total Posts : 51
  • Scores: 4
  • Reward points: 0
  • Joined: 2019/08/20 01:06:02
  • Status: offline
Re: (Computer) client certificate validation 2020/04/20 08:30:51 (permalink)
0
mkolusin user->pki I used subject filterning to match part of the FQDN. I.E.: my lab environment had hydra.local as the domain, so the subject filter was ".hydra.local" (note the dot at the start, it will match computer.hydra.local but not user@hydra.local).
That being said: if your certificates have something in common -or could have-, you can use subject filtering.



Thanks for the info. Yes, I could use subject filtering, since computer certificates are all named computer.domain.com. Can you just enter .domain.com as subject or do I need to add a wildcard?
 
But I think my main problem here is that I don't have any users defined on the firewall itself. So I don't know how to link a (global?) peer user to the vpn users. 
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2021 APG vNext Commercial Version 5.5