Skip to main content
athirat
Staff
athirat
Staff
November 29, 2024

Technical Tip : How to generate a 3GPP certificate on FortiGate using FortiAuthenticator as the CMPv2 server

  • November 29, 2024
  • 0 replies
  • 1087 views
Description

This article describes how to use FortiAuthenticator as a CMPv2 server to rollout 3GPP certificates to FortiGates in SecGw for mobile network deployments.
Scope

FortiGate v6.2.x onwards, FortiAuthenticator v6.6.x onwards.
Solution

Find the steps below for setup :

 

On FortiAuthenticator :

 

  1. Go to 'Certificate Management -> CMP -> General' to enable CMPV2.

Once enabled, select a server certificate and setup the default enrollment password:

 

athirat_0-1732871505201.png

 

 

  1. Go to 'Network -> Interfaces' to enable CMP services under the interface on which FortiGate will be connecting:

Note: Can use HTTPS or HTTP - this example demonstrates TCP/80.

 

athirat_1-1732871720964.png

 

  1. Go to 'Certificate Management -> Local CAs' and set up a Local CA certificate which will be used for signing the requests.

 


athirat_3-1732872145616.png

 

  1. Go to 'Certificate Management -> CMP -> Enrollment Request' and create a new enrollment certificate with the request type set to '3GPP'.

Note: The Device vendor CA certificate would be the CA signing the FortiGate authentication certificate. In this example, the 'Fortinet_Factory' certificate will be used on FortiGate, so the Fortinet CA certificate is selected.

 

athirat_4-1732872396257.png

 

The enrolment request can be customized as per requirement by setting an appropriate renewal period and selecting the required key usages.

This will be seen in the 'Pending' status when created:

 

athirat_5-1732873222509.png

 

On FortiGate:

  1. Import the FortiAuthenticator server certificate under 'Remote Certificate':

 

config certificate remote

# edit G_REMOTE_Cert_1

(G_REMOTE_Cert_1) # get
name : G_REMOTE_Cert_1
remote :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Fortiauthenticator, CN = Default-Server-Certificate-D01CBD01
.....

 

  1. The IR syntax on FortiGate is as follows:

 

execute vpn certificate local generate cmp <local name> <key size> <server-address:port> <path> <SrvCert> <AuthCert> <username> <password> 

 

In this example:

 

execute vpn certificate local generate cmp SecGW-cert 2048 10.5.145.56:80 /app/cert/cmp2/ G_REMOTE_Cert_1 Fortinet_Factory

Certificate CMP IR started, Please check it in a while

 

Successfully issued:

 

config certificate local

    edit SecGW-cert

        get

        name : SecGW-cert
        password : *
        comments :
        private-key :
        certificate :
        Subject: CN = FG481FTK1111111.unknown.com
        Issuer: O = test, OU = SECGW, CN = FAC

        .

        .
        state :
        range : global
        source : user
        source-ip : 0.0.0.0
        ike-localid-type : asn1dn
        enroll-protocol : cmpv2
        cmp-server : 10.5.145.56
        cmp-path : /app/cert/cmp2/
        cmp-server-cert : G_REMOTE_Cert_1
        cmp-regeneration-method: keyupate
        auto-regenerate-days: 0
        auto-regenerate-days-warning: 0

       

Troubleshooting:

 

On FortiGate, the process can be tracked using CMP debugs below or by running sniffers to FortiAuthenticator IP:

 

diagnose debug reset

diagnose debug application cmp 255

diagnose debug enable

 

In captures on filtering CMP:

 

athirat_6-1732874490387.png

 

On FortiAuthenticator, debugs are available on the Debug page -> Others -> SCEP/CMP.
Terms & ConditionsAccessibility statement