User certificate validation - FortiClient VPN client

Bojan Zivkovic 526 Reputation points
2021-11-04T11:31:36.09+00:00

Hi, we have branch in Europe with whole staff working remotely via VPN - FortiClient VPN client is being used with user certificate as second factor authentication (issued from Enterprise CA in the US). CDP/AIA extensions of certificate are published in AD (LDAP).

My question is what would happen if link between Europe and US goes down? Will employees in Europe be able to connect to VPN and work with at least servers being hosted in Europe? My logic is that during validation CRL/AIA are checked and since they are in AD configuration partition FortiClient VPN client will find available DC in Europe (it can be even RODC) and confirm user certificate is OK hence let him/her in without any need to contact CA in the US that is unreachable.

Am I right and if so does the same process of validation always happen in the background for anything requiring certificates? Thank you very much in advance.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,875 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,796 Reputation points
    2021-11-04T20:36:13.317+00:00

    Hello @Bojan Zivkovic

    As long as these are Domain Joined computers, that have at least connected once, will not have any problem. If you use domain credentials to log on to the VPN server, the certificate is automatically installed in the Trusted Root Certification Authorities store. However, if the computer is not joined to the domain or if you use an alternative certificate chain, you may experience log in errors.

    Hope this helps with your query,

    ------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.