Here's how you enable the PEM public-certificate for ssh authentication & with a fortigate.
You can use public or private sign-certificate for ssh-authentications by using the private-key for the ssh-client.
Here's the steps in-ordered to use x509 certificate component for ssh-clients
1: Draft a certificate-sign-request, and have a certificate sign. In my case the CN value was simplified as "kenfelix" this value DOES NOT NEED TO MATCH THE LOCAL ACCOUNT NAME USED ON THE FORTIGATE, but it would help form audit and management standpoint
2nd:
You need to import that certificate into the fortigate, I prefer to import it as a pkcs12 and let it be.
3rd
Now you can define the system admin name and select the certificate that you import as shown above or below.
NOTE: On the certificate I like o upload the CA certificate if you are the "signer for actual system_admin certificate but this is optional and not required ".
4th, now for the actual ssh-client you only need the private-key component from the certificate. This should be in a PEM format btw.
e.g ( a RSA encrypted prig-key based on the above certificate named "kenfelix" )
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2FD1E9D43D98C8AB
793wP7Gokz5RgZ7ojGoxvWAAOqZo1gCsIwvgXh7gvlqhYztvW1zdFI8qC4wSlTQX
pLiU+aTVoySLY1p7bg//MuISEGnbotA04JipRB8UznVQBVFNNVq7RQQPkPYxz3xM
UrkgNvzkxWI3/Rqa8QMfT0msrE+dwcGVIfJ940LwGgr5pFO1MbJZZVfYgnnAdL3F
m55Pv1hamT0Qs6TD8vsrWt2AU4yOx6I4JhH/ylFe23fQW6bGpfysX4VuZk/z/KdD
JlAZUFn8kMLra+HAUUjVm7s0MHeb3Zu4bK7nw+6NTDeAj9RpLxga1CmCxomAQ6+q
Ls4Pl5ldShuOT0+PnYly337gKrjTrVUFQQ90sQawK5kSEEhrAgatJ+1GYaLos5Al
pE3BtCymsxkihx+KgvDhBF+VN+ZBgArycKz4p8s5L4z/WXqKpbJud/H8BvwU/aVe
J8/x1ypLCgscJvzTidw9o+mXZvzDrdcGNGJOv9nny5MMXBSz3sg19KALK5KLW6tS
U7kQs5zk9N9UiE0jcp6rdR+wlAfYrkapLP5bVPTMitIJcJgdt4nZSQTX6VR06NA8
d5arGS1EkDgQcmRHuq95L33eAkG/ec0Fl+uF6pz5nW6nTNZ9EZ8e8+58DoBqP4ng
PsklUuiJ1EFHoXl1Gq/KgBapWFxH73UlzZFqa/1LfsXoU1TMvvRAvjXWRr5202Xs
utGv6zMhogFIFktKPPG6Udom6x0x6aDKU7TW2PLLLYELVAz36wAa35LDrDVHXf9c
sxwyiIDYu2CYcPinCP1nbByubgvbCt5cclBCy+tUR3HwQhTPH9cCbwQgq4/nhF5t
GB26VWzN4LU56fYClugDH59U+xrWlV5486g9p6CMIUTMcepzuVx0qIpfVwAi4mCL
icXMm/Fi/qeAXVDsYQOOWqZqxxkfmhJ3P3vlv84j9Nz9rTrUnMmuaeeY/v2OxFIs
6v1ISnzsKJyyopu8LZTbjQdubpLdzn17uv3avs6rcmYZpkh9PF0/lLi0+w1/X64S
ueZ14zrZ9UtdAN9IDMNwMgB69l+hhBRMnhRc9pxilnvVZrqlQf+0894JVVsRT0y3
v3zAhYq6Zk+F2qLu2Bm6bZ4z5oLr0AxV6AcpsHU5d8CqRg++4rSVxcet80to0bqH
zhIJY1qQrN/4xIWke2qbt3992TduwYreLBgyAHhEaS51gSE1QU34rkq1a/MX+jU3
mNraIHLogthwGGRjpHSzmStgNRoL/PyXeNdNfffO9WSFvH46PKRBI+rNtZEmJ9Zl
BQM5qbtGdh/U8PiO7779gVUDQ0+pqMCKdQfrYWJsZLNwe/399Rqc9qM7q91GJ/fu
Irn8IafbZ4M/jjVEMMidnFrCxqxA8P9k8VnwhGaeKhmDqlF9/l76CJk6kXaK4fvu
imMu2QXALgV+k2M5Wsefb9t550YvgTWj+/SIB/jhE59Dm78FhJ9DXcLsNjVxX50O
ZmWYlpAEf/48/JVqAW4e7hNBocqhNwCfJps4Caz7Tz6fuhUC2bgvDOzFmghHItnR
hYtDwIotFZRLt0OF8Jk2aEIOjunBYYAdeP3FqU2xqHWGE7pKdPDMdQ==
-----END RSA PRIVATE KEY-----
The easiest and laziest approach would be to take a Pfx file and output the cert and private-key into a single file or just extract the private-key
At this point, you could passphrase the priv-key which would challenge you every time you execute the ssh-client session, which is shown above with the DES-encrypted key.
Here's a means for extracting the priv-key with certificate using openssl;
Okay now you can test the access by using the named "mayflile.pem" and the "
-i " switch with OPENssh or your ssh-client
e.g
NOTE: if your priv-key is encrypted , than you must use the passphrase for the privy-key
e.g
KenFelix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \