This cert will be called everytime we login via the WebGUI. The steps are summarize as
1: upload the trust-CA to the fortigate certificate store
2: craft a user-peer and set the CA and CN values
3: craft a pki-admin
4: enable admin-pki
5: optionally you can set the user-peer for two-factor and the user will need a cert and password
6: !!!! this a great approach if you need HTTPS access to un-trusted and dangerous internet !!!!
Here's a view of these simple steps. I will not bother with showing the user csr generation
MY Socpuppets CA root CERTIFICATES
User Peer Defined via cli
Notice two-factor and password set , my CA certificate is known as CA_Cert_1
NOTE: pki2 is my admin configuration and is a member of the user group named simply pki
Admin Configuration
A typical WebGui admin login and FireFox cert imported
Here's a few chrome based browsers challenging my user ( these can not access MACOSX certificate store directly )
The FireFox browsers are the best and most reliable based on my experience
Any webUsers with no certificate will generate a log message similar to the below
A Certificate decoder of the user certificate ( notice the CN that was used for the pki user )
NOTE: This certificate was built with a low lifetime due to some other testing that I'm doing. In reality you will define the certificate lifetime as the systemAdmin requires dictates. A consult on a project might have a lifetime shorter than a IT security staff.
A few business case on where PKI admin has been a success
- remote DR sites that need WebUI access via the internet
- TrustCA issued certificate are hard to forge
- A user can not easily share his/her remote-password, prevents user password sharing
- remote-support engineers that need a limit life and scope for remote access and a teamviewer or webex is not an option
- makes it almost next to impossible to brute-force a login attack against a device
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment