Fortinet 5.0 Patch 6 How to apply PKI client authentication (personal certificates)

Fortinet 293 FortiWeb 5.0 Patch 6 Administration Guide

See also

•Supplementing a server certificate with its signing chain

•How operation mode affects server policy behavior

How to apply PKI client authentication (personal certificates)

If your clients will connect to your web sites using HTTPS, you can configure FortiWeb to

require clients to present a personal certificate during the handshake in order to confirm their

identities. This is sometimes called public key infrastructure (PKI) authentication (RFC 5280).

Because FortiWeb presents its own server certificate to the client before requesting one from

the client, all PKI authentication with FortiWeb is actually mutual (2-way) authentication.

PKI authentication is an alternative to traditional password-based authentication. The traditional

method is based on “what you know” — a password used for authentication. PKI authentication

is based on “what you have” — a private key related to the certificate bound to only one person.

PKI authentication may be preferable for devices where it is onerous for the person to type a

password, such as an Android or iPhone smart phone.

A known weakness of traditional password based authentication is the vulnerability to

password guessing or brute force attack. Despite your admonitions, many users will still choose

weak passwords either because they do not understand what makes a password “strong,”

because they do not understand the risks that it poses to the organization, or because they

cannot remember a randomized password.

PKI authentication is far more resilient to brute force attacks, and does not require end-users to

remember anything, so it is stronger than a password.

In addition to FortiWeb verifying client certificates, you can configure FortiWeb to forward client

certificates to the back-end server, whether for additional verification or identity-based

functionality. SeeClient Certificate Forwarding in “Configuring a server policy” on page 483.

For even stronger authentication, you can combine PKI authentication with HTTP or

form-based authentication. For more information, see “Authentication styles” on page 221.