1. Create a server certificate from FortiAuthenticator ( this if there is any existing server certificate) by going under Certificate Management > End Entities > Local Services and select'Create New'.
2. Enable CMPv2 by going under Certificate Management -> CMP -> General, enable CMPv2, select the server certificate created from above, and set a default enrollment password.
3. Enable CMP and HTTP on a network interface that serves CMP services by going under System -> Network -> Interfaces -> [Interface] 

Services:

• HTTP (TCP/80)
• CMP (/app/cert/cmp2/)

4. Create enrollment requests by going under Certificate Management -> CMP -> Enrollment Requests and select 'Create New'.
5. From client machine, generate an RSA private key file:

#openssl genrsa 2048 > [key file name]

To initialization request:

#openssl cmp -cmd ir -server [FAC server IP]:80 -path /app/cert/cmp2/ -srvcert [FAC server certificate] -ref usera -secret 'pass:[password]' -certout [certificate output] -newkey [key file name] -subject "/CN=usera

Enrollment status:

Related document: 

CMP