Skip to main content
vifi
Staff
vifi
Staff
February 18, 2026

Troubleshooting Tip: SCEP enrollment fails when using HTTPs and IP in CA server URL

  • February 18, 2026
  • 0 replies
  • 260 views
Description

This article describes how to resolve the error 'Certificate verification failed, error 64 (IP address mismatch)' in SCEP.
Scope FortiGate 7.4 and 7.6.
Solution

SCEP Configuration:

 

config vpn certificate ca
    edit "CA_Cert_1"
        set range global
        set scep-url "https://82.218.17.22/cert/scep"
        set last-updated 1743459249
    next
end


The output of the following debug commands should be collected in order to confirm the error: 

 

diagnose debug console timestamp enable
diagnose debug application scep -1
diagnose debug enable

 

The following errors are observed in debug log output:

 

FortiGate# 2025-11-28 07:47:20 __scep_get_ca_cert: starting sscep, version 20030417
2025-11-28 07:47:20 __scep_get_ca_cert: hostname: 82.218.17.22
2025-11-28 07:47:20 __scep_get_ca_cert: directory: /app/cert/scep/
2025-11-28 07:47:20 __scep_get_ca_cert: port: 443(https)
2025-11-28 07:47:20 __get_ca_cert_req: SCEP_OPERATION_GETCA
2025-11-28 07:47:20 __get_ca_cert_req: requesting CA certificate, msg: GET /app/cert/scep/?operation=GetCACert&message=CAIdentifier HTTP/1.0
Host: 82.218.178.22
Connection: close

2025-11-28 07:47:20 __send_recv: dest ip 82.218.17.22, port 443, use_ssl 1, source_ip 0
2025-11-28 07:47:20 __ssl_cert_verify_cb: Certificate verification preverify_ok = 0, depth = 0, subject = 'CN = *.category.co.at'
2025-11-28 07:47:20 __ssl_cert_verify_cb: Certificate verification failed, error 20 (unable to get local issuer certificate)
2025-11-28 07:47:20 __ssl_cert_verify_cb: untrusted CA but let it pass
2025-11-28 07:47:20 __ssl_cert_verify_cb: server cert ok?1
2025-11-28 07:47:20 __ssl_cert_verify_cb: Certificate verification preverify_ok = 0, depth = 0, subject = 'CN = *.category.co.at'
2025-11-28 07:47:20 __ssl_cert_verify_cb: Certificate verification failed, error 64 (IP address mismatch)
2025-11-28 07:47:20 __ssl_cert_verify_cb: server cert ok?0
2025-11-28 07:47:20 __send_recv: tcps_connect failed. (ssl_connect() failed: 167772294 (error:0A000086:SSL routines::certificate verify failed))

 

Workaround: When generating CSR for SCEP, use 'http' instead of 'https' in 'CA Server URL'.

 

Before the change:


config vpn certificate ca
    edit "CA_Cert_1"
        set range global
        set scep-url "https://82.218.17.22/cert/scep"  ------------->>
        set enroll-protocol scep
        set auto-regenerate-days 7
        set auto-regenerate-days-warning 14
    next
end

 

httpssss.png

 

After the change:


config vpn certificate ca
    edit "CA_Cert_1"
        set range global
        set scep-url "http://82.218.17.22/cert/scep" <-----
        set enroll-protocol scep
        set auto-regenerate-days 7
        set auto-regenerate-days-warning 14
    next
end

 

httpja.png

 

This is identified as a known issue ID:1142387, which has been resolved in firmware version 7.6.5. 

 

Related article:

Technical Tip: FortiGate Certificate enrollment and renewal using SCEP
    Terms & ConditionsAccessibility statement