Skip to main content
IOFortinet
Staff
IOFortinet
Staff
November 28, 2025

Technical Tip: Certificate renewal for Certificate Template with SCEP enrollment deployments

  • November 28, 2025
  • 0 replies
  • 929 views
Description

 

This article describes how to configure certificate renewal in deployments, where FortiManager's 'Certificate Template' was used with SCEP enrolment.

 

Scope

 

FortiManager, FortiGate.

 

Solution

 

By default, when a certificate enrolment is configured via FortiManager 'Certificate Template', as explained in Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA: there is no renewal related configuration added.

 

As a result, when the certificate is going to expire, the administrator can either re-run the enrolment process on FortiManager manually (or manually import the renewed certificate directly to the FortiGate), or rely on an automatic process with SCEP protocol usage.

 

To use SCEP-based renewal, add the following configuration as a CLI template or directly to the FortiGate:

 

config vpn certificate local     edit <name>         set scep-url "http://<IP_ADDRESS>/app/cert/scep/"         set enroll-protocol scep         set auto-regenerate-days 7         set auto-regenerate-days-warning 14         set scep-password <passwd>     next end

 

Note: 

During first enrolment via Certificate Template, the certificate is pushed through fgfm tunnel. But for further renewals, FortiGate must have allowed direct SCEP communication with CA server, because FortiManager doesn't participate in the process anymore.

 

To change routing behavior for the SCEP flow, adjust the decision making method and source IP, if needed:

 

FGT# config vpn certificate setting     set interface-select-method [auto|specify|sdwan] end  FGT# config vpn certificate local     edit <name>         set source-ip     end

 

Troubleshooting: 

 

To troubleshoot certificate renewal over the SCEP protocol, check SCEP and FortiCron daemons' outputs.

 

For SCEP debugging:

 

FGT# diagnose debug application scep 255

 

For FortiCron testing:

 

FGT# diagnose test application forticron 2  Name-FAC_SCEP: type=local, realm=global, days=2, days_warn=2, source=0.0.0.0, warning_logged=1         scep=http://10.5.149.111/app/cert/scep/         warning_time=2025-11-24 19:57:32 GUI SSL cert timer: 76433, total_updates: 1, last_updated: Tue Oct 28 02:42:35 2025

 

For FortiCron debugging:

 

FGT# diagnose debug application forticron 255 FGT# diagnose debug enable  fcron_timer_func()-25: Timer cert_upd fired fcron_update_timer_func()-342:  __check_exp_date()-247: check cert-FAC_SCEP, vfid 0, is_global 1 cert_update_auto_gen_info()-362: cert FAC_SCEP expires at 2025-11-27 03:57:32  GMT __local_scep_auto_regenerate()-97: Auto regenerate certificate-FAC_SCEP, vfid-0, global-1. fcron_start_cert_scep()-824:  scep_cert_init()-764: Hostname: 10.5.149.111 scep_cert_init()-765: Directory: /app/cert/scep/ scep_cert_init()-766: Port: 80(http) scep_cert_init()-784: cert&pkey loaded using FAC_SCEPVDOM0 fcron_start_cert_scep()-858: Added and Start cert FAC_SCEP scep_start()-743: resolve 10.5.149.111 scep_resolv_cb()-736: IP of scep-10.5.149.111 is 10.5.149.111 scep_start_connect()-682:  fcron_cert_bind_interface()-784:  fcron_cert_bind_interface()-790: bind to interface 0 for 0.0.0.0->10.5.149.111. fcron_timer_func()-32: Timer cert_upd done fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a5470 epoll events 0x04 scep_connect()-658:  scep_connect()-668: SCEP connection(10.5.149.111) started. socket: 25 fcron_epoll_after_handle()-280: AFTER WRITE ret 0 fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a51e0 epoll events 0x04 scep_rxtx()-593: state 0 cert_buf_realloc()-124: new size 2048 scep_rxtx()-640: new event EPOLLIN fcron_epoll_after_handle()-280: AFTER WRITE ret 0 fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01 scep_rxtx()-593: state 1 scep_recv()-509: read 1449 bytes: pos=0, len=2048 fcron_epoll_after_handle()-277: AFTER READ ret 0 fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01 scep_rxtx()-593: state 1 scep_check_payload_size()-311: received the header from server: 10.5.149.111:80 [HTTP/1.1 200 OK Date: Mon, 24 Nov 2025 11:31:35 GMT Content-Length: 1188 X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: fullscreen=(self) Connection: close Content-Type: application/x-x509-ca-cert ] find_content_length()-273: content-length 1188 scep_recv()-519: data: pos=1188, sz=2048, content-length=1188 scep_recv()-527: got CA, re-connecting the host. send PKCSREQ request scep_stop_connect()-152:  scep_start_connect()-682:  fcron_cert_bind_interface()-784:  fcron_cert_bind_interface()-790: bind to interface 0 for 0.0.0.0->10.5.149.111. fcron_epoll_after_handle()-277: AFTER READ ret 0 fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a5470 epoll events 0x04 scep_connect()-658:  scep_connect()-668: SCEP connection(10.5.149.111) started. socket: 25 fcron_epoll_after_handle()-280: AFTER WRITE ret 0 fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a51e0 epoll events 0x04 scep_rxtx()-593: state 2 build_cert_request()-204:  cert_buf_realloc()-124: new size 9678 scep_rxtx()-640: new event EPOLLIN fcron_epoll_after_handle()-280: AFTER WRITE ret 0 fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01 scep_rxtx()-593: state 3 scep_recv()-509: read 283 bytes: pos=0, len=9678 fcron_epoll_after_handle()-277: AFTER READ ret 0 fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01 scep_rxtx()-593: state 3 scep_check_payload_size()-311: received the header from server: 10.5.149.111:80 [HTTP/1.1 200 OK Date: Mon, 24 Nov 2025 11:31:35 GMT Content-Length: 25 X-Content-Type-Options: nosniff Referrer-Policy: strict-origin-when-cross-origin Permissions-Policy: fullscreen=(self) Connection: close Content-Type: application/x-pki-message ] find_content_length()-273: content-length 25 scep_recv()-519: data: pos=25, sz=9678, content-length=25 scep_handle_cert_reply()-404: unwrap cert reply scep_recv()-554: SCEP request is failed scep_stop()-193:  scep_stop_connect()-152:  scep_cleanup()-168: scep_cleanup, state 3, name FAC_SCEPVDOM0, vfid 0, is_global 1. fcron_epoll_after_handle()-277: AFTER READ ret 0 fcron_timer_func()-23: Timer traf_his fired fcron_timer_func()-32: Timer traf_his done

  

Related articles: 

Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA 

Technical Tip: FortiGate Certificate enrollment and renewal using SCEP 

Terms & ConditionsAccessibility statement