- Create a server certificate from FortiAuthenticator (unless there is an existing server certificate) at Certificate Management > End Entities > Local Services and select 'Create New'. Download the certificate as it is needed in a later step.
- Enable CMPv2 at Certificate Management -> CMP -> General, enable CMPv2, select the server certificate created at the first step, and set a default enrollment password.
- Enable CMP and HTTP on a network interface that is planned to serve CMP services at System -> Network -> Interfaces -> [Interface] .
 CMP service on interface
Services required:
- HTTP (tcp/80) or HTTPS (tcp/443)
- CMP (/app/cert/cmp2/)
- Create a new enrollment request at Certificate Management -> CMP -> Enrollment Requests by selecting 'Create New'. Choose either 'Regular' for user certificate enrollment or 'Device (3GPP)' for device enrollment. Regular enrollment requires the use of the enrollment password, whereas device enrollment requires the use of the existing device certificate and key.
- From the client machine, generate a new RSA private key file:
#openssl genrsa 2048 > [key file name]
Example command execution and output:
#openssl genrsa 2048 > user.key
OpenSSL doesn't generate output on this command.
Example to initialize a request for a 'Regular' request (as selected in step 4):
#openssl cmp -cmd ir -server [FAC server IP]:80 -path /app/cert/cmp2/ -srvcert [FAC server certificate file] -ref [sendername] -secret 'pass:[password]' -certout [certificate output file] -newkey [key file name] -subject "/CN=usera"
Example command execution:
#openssl cmp -cmd ir -server remote.forti.lab:80 -path /app/cert/cmp2/ -srvcert remote.forti.lab.cer -ref usera -secret 'pass:fortinet' -certout user.cer -newkey user.key -subject "/CN=usera"
Example to initialize a request for a "Device (3GPP)" request (as selected in step 4):
#openssl cmp -cmd ir -server [FAC server IP]:80 -path /app/cert/cmp2/ -srvcert -srvcert [FAC server certificate file] -ref [sendername] -certout [certificate output file] -newkey [key file name] -key [existing private key] -cert [existing public key]
The Device enrollment requires the client to be authorized with a certificate (private and public key), signed by the 'Device vendor CA certificate', selected in the enrollment request template. The options '-key' and '-cert' are required for that.
 Device Authorization CA selection
Note:
The 'Restrict enrollment by serial number' option can be used to restrict the enrollment requests to certain serial numbers, if required.
Example command execution and output:
#openssl cmp -cmd ir -server remote.forti.lab:80 -path /app/cert/cmp2/ -srvcert remote.forti.lab.cer -ref newdevice -certout newdevice.cer -newkey newdevice.key -key originaldevice.key -cert originaldevice.cer
cmp_main:../apps/cmp.c:2751:CMP info: using section(s) 'cmp' of OpenSSL configuration file '/usr/lib/ssl/openssl.cnf'
cmp_main:../apps/cmp.c:2759:CMP info: no [cmp] section found in config file '/usr/lib/ssl/openssl.cnf'; will thus use just [default] and unnamed section if present
setup_client_ctx:../apps/cmp.c:1958:CMP info: will contact http://remote.forti.lab:80/app/cert/cmp2/
CMP info: sending IR
CMP info: received IP
CMP info: sending CERTCONF
CMP info: received PKICONF
save_free_certs:../apps/cmp.c:2005:CMP info: received 1 enrolled certificate(s), saving to file 'newdevice.cer'
Enrollment status result:
 Enrollment templates
Note:
Enrollment templates without a subject become wildcard templates and will generate new certificate request entries.
Troubleshooting:
- CMP on port 80 is unencrypted and can be used to troubleshoot. Run a packet capture for this request on port 80 and check in conjunction with what happens.
- The client will send a header with sender+recipient. The sender should be a client certificate or sendername (specified with -ref) and the recipient needs to be the FortiAuthenticator server certificate (selected in the General CMP settings on FortiAuthenticator).
- The client will send a body with the certificate request message which should contain the certificate subject.
- The client may send 'extraCerts', which, in case of device enrollment, is required. That must include the client certificate (specified with -cert) and may include automatically the CA certificate(s).
The FortiAuthenticator debug logs at https: //fac-ip/debug/scepd can also help to visualize the enrollment, provided debug mode is enabled:
 SCEP / CMP debug
If a successful enrollment is to be repeated for testing purposes, a new private key needs to be created.
Example debug logs on the process above:
2025-08-13T17:09:16.541230+02:00 FortiAuthenticator scepd[31164]: scepd.cpp:155: operation = cmp
2025-08-13T17:09:16.541341+02:00 FortiAuthenticator scepd[31164]: scepd.cpp:156: message = /tmp/cmp_q9qmxcq1.dat
2025-08-13T17:09:16.544542+02:00 FortiAuthenticator scepd[1617]: CMP server: begin processing request (trans_id = '5a83d53a297f1a898d48aa32563d28da')
2025-08-13T17:09:16.544626+02:00 FortiAuthenticator scepd[1617]: --> Creating new CMP server context to handle request
2025-08-13T17:09:16.544644+02:00 FortiAuthenticator scepd[1617]: Successfully created CMP server context
2025-08-13T17:09:16.544715+02:00 FortiAuthenticator scepd[1617]: CMP body type = 0 (IR)
2025-08-13T17:09:16.544722+02:00 FortiAuthenticator scepd[1617]: Protection alg = 668 (RSA-SHA256)
2025-08-13T17:09:16.546930+02:00 FortiAuthenticator scepd[1617]: mo_get_enrollments.cpp:152: there are 1 pending CMP device CAs
2025-08-13T17:09:16.547245+02:00 FortiAuthenticator scepd[1617]: Loaded CA certs for device enrollment.
2025-08-13T17:09:16.547254+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_server.c,476] OSSL_CMP_SRV_process_request: received IR
2025-08-13T17:09:16.547282+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_vfy.c,554] OSSL_CMP_validate_msg: validating CMP message
2025-08-13T17:09:16.547901+02:00 FortiAuthenticator scepd[1617]: ** cmp_process_cert_request **
2025-08-13T17:09:16.547907+02:00 FortiAuthenticator scepd[1617]: CMP body type = 0 (IR)
2025-08-13T17:09:16.547916+02:00 FortiAuthenticator scepd[1617]: Subject='/CN=newdevice'
2025-08-13T17:09:16.548924+02:00 FortiAuthenticator scepd[1617]: CMP device: validated firmware cert has issuer: /CN=lab-CA <- Matching the templates' issuer with the issuer of the device vendor certificate.
2025-08-13T17:09:16.549658+02:00 FortiAuthenticator scepd[1617]: mo_get_enrollments.cpp:124: there are 1 pending CMP device enrollment(s)
2025-08-13T17:09:16.549665+02:00 FortiAuthenticator scepd[1617]: mo_get_enrollments.cpp:555: checking enroll req (id=46) issuer: /CN=lab-CA
2025-08-13T17:09:16.549690+02:00 FortiAuthenticator scepd[1617]: mo_get_enrollments.cpp:560: found matching issuer (id=46)
2025-08-13T17:09:16.549694+02:00 FortiAuthenticator scepd[1617]: Update DN in firmware certificate enrollment
2025-08-13T17:09:16.549699+02:00 FortiAuthenticator scepd[1617]: Returning entry: 46
2025-08-13T17:09:16.549970+02:00 FortiAuthenticator scepd[1617]: mo_sign_request.cpp:512: running command to sign request with args:
2025-08-13T17:09:16.549975+02:00 FortiAuthenticator scepd[1617]: cmd args: python /var/www/fac/manage.pyc sign_x509_req --id=46 --trans-id=5a83d53a297f1a898d48aa32563d28da --pubkey=/tmp/cmp/x509req.4x1Ubq --renewal=0 --subject=/CN=newdevice --protocol=cmp
2025-08-13T17:09:19.923651+02:00 FortiAuthenticator scepd[1617]: mo_sign_request.cpp:535: successfully signed certificate request for transaction 5a83d53a297f1a898d48aa32563d28da
2025-08-13T17:09:19.926367+02:00 FortiAuthenticator scepd[1617]: db_utils.cpp:267: Retrieved client cert from DB:
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIJAPrdp/UPwa6WMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
BAGMCUNBX3JlbW90ZTAeFw0yNTA4MTMxNTA5MTlaFw0yNjA4MITMxNTA5MlaMBEx
DzANBgNVBAMMEmNsaWVudDCCASIwDQYJKoZIhvcNAQ...
2025-08-13T17:09:19.927983+02:00 FortiAuthenticator scepd[1617]: db_utils.cpp:292: Retrieved CA cert from DB:
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIIbGfRWzJGxPcwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AwwJQ0FfcmVtb3RlMB4XDTIzMDgyODE1MTMzOVoXDTMzMDgyNTE1MTMzOVowFDES
MBAGA1UEAwwJQ0FfcmVtb3RlMIIBIjANBgkqhkiG9w...
2025-08-13T17:09:19.928319+02:00 FortiAuthenticator scepd[1617]: Returning OSSL_CMP_PKISTATUS_accepted
2025-08-13T17:09:19.939337+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_protect.c,146] ossl_cmp_msg_add_extraCerts: trying to build chain for own CMP signer cert
2025-08-13T17:09:19.939358+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_protect.c,151] ossl_cmp_msg_add_extraCerts: success building chain for own CMP signer cert
2025-08-13T17:09:19.939414+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_server.c,614] OSSL_CMP_SRV_process_request: sending IP
2025-08-13T17:09:19.939424+02:00 FortiAuthenticator scepd[1617]: CMP process_request done (success)
2025-08-13T17:09:19.939437+02:00 FortiAuthenticator scepd[1617]: mo_handle_cmp_op.cpp:211: preparing reply headers
2025-08-13T17:09:19.951274+02:00 FortiAuthenticator scepd[31195]: scepd.cpp:155: operation = cmp
2025-08-13T17:09:19.951394+02:00 FortiAuthenticator scepd[31195]: scepd.cpp:156: message = /tmp/cmp_bbrj94eq.dat
2025-08-13T17:09:19.954016+02:00 FortiAuthenticator scepd[1617]: CMP server: begin processing request (trans_id = '5a83d53a297f1a898d48aa32563d28da')
2025-08-13T17:09:19.954032+02:00 FortiAuthenticator scepd[1617]: CMP body type = 24 (CERTCONF)
2025-08-13T17:09:19.954036+02:00 FortiAuthenticator scepd[1617]: Protection alg = 668 (RSA-SHA256)
2025-08-13T17:09:19.954042+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_server.c,476] OSSL_CMP_SRV_process_request: received CERTCONF
2025-08-13T17:09:19.954079+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_vfy.c,554] OSSL_CMP_validate_msg: validating CMP message
2025-08-13T17:09:19.954355+02:00 FortiAuthenticator scepd[1617]: Received CertConf message for req id 0
2025-08-13T17:09:19.963304+02:00 FortiAuthenticator scepd[1617]: E(7) => [crypto/cmp/cmp_server.c,614] OSSL_CMP_SRV_process_request: sending PKICONF
2025-08-13T17:09:19.963317+02:00 FortiAuthenticator scepd[1617]: CMP process_request done (success)
2025-08-13T17:09:19.963322+02:00 FortiAuthenticator scepd[1617]: mo_handle_cmp_op.cpp:211: preparing reply headers
Related documents:
FortiAuthenticator administration guide on CMP
Technical Tip: How to make a CMP certificate signing request from FortiGate to FortiAuthenticator
|
