Follow the General instructions to enable the service on the FortiAuthenticator.

Import the root Certificate authority (fac.cz.root in this example) onto the FortiGate (Create/import CA certificate).

Configure a Certificate Enrollment.

At the time of writing, wildcard CMP Certificate Enrollment isn't supported.

Each client needs its own Certificate Enrollment to be configured, as the request will otherwise fail with 'Enrollment not found.'

Key Usages may vary and depend on the scope of the requested certificate.
Key Encipherment and Digital signature are required for a certificate used for HTTPS services, like a web server.

Making a request from FortiGate with 'diagnose debug app cmp -1' will have similar results to the following:

FG100F-5 # execute vpn certificate local generate cmp-rsa cmptest1 2048 http://10.109.21.113:80 /app/cert/cmp2 fac.root "" fgt100f fortinet1 "CN=fgt100f.local"
__cmp_cert_session_start()-1333:
Certificate CMP IR started, Please check it in a while

FG100F-5 # __cmp_ctx_create()-351: Set 'fac.root' as srvCert.
__cmp_ctx_create()-359: Added 'fac.root' to trustedStore.
__cmp_cert_session_start()-1378: OSSL_CMP_CTX init is done successfully.
__cmp_cert_session_start()-1381: Start IR for 'cmptest1', vfid=0, is_global=0
__cmp_start()-1266: Resolve 10.109.21.113
__cmp_resolv_cb()-1257: IP of CMP-10.109.21.113 is 10.109.21.113
__cmp_start_connect()-1203:
__cmp_connect()-1184: CMP connection(10.109.21.113) started for 'cmptest1'. socket: 23
__cmp_build_req()-552: Cert 'cmptest1'
__cmp_build_req()-586: Request length 961.
__cmp_write()-921: Sent 961 bytes: pos=0, len=961
__cmp_read()-1010: Read 2198 bytes.
__cmp_read()-1033: HTTP header: HTTP/1.1 200 OK

__parse_http_one_line()-981: HTTP result code 200.
__cmp_read()-1033: HTTP header: Date: Thu, 21 Nov 2024 11:52:11 GMT

__cmp_read()-1033: HTTP header: X-XSS-Protection: 1; mode=block

__cmp_read()-1033: HTTP header: X-Content-Type-Options: nosniff

__cmp_read()-1033: HTTP header: Referrer-Policy: strict-origin-when-cross-origin

__cmp_read()-1033: HTTP header: Permissions-Policy: fullscreen=(self)

__cmp_read()-1033: HTTP header: Connection: close

__cmp_read()-1033: HTTP header: Content-Type: application/pkixcmp

__cmp_read()-1033: HTTP header:

__cmp_read()-1098: Content length 1933.
__cmp_read()-1107: Got the whole content.
__cmp_save_pki()-516: Need to send certificate confirm.
__update_local_cert_and_key()-412:
__load_cert_and_key()-396: No client cert 'cmptest1'.
__update_local_cert_and_key()-457: Cert file updated.
__cmp_ctx_clean()-1306:
__cmp_stop_connect()-1140:
__cmp_next_steps()-715: Send certificate confirm.
__cmp_start_connect()-1203:
__cmp_connect()-1184: CMP connection(10.109.21.113) started for 'cmptest1'. socket: 23
__cmp_build_req()-552: Cert 'cmptest1'
__cmp_build_req()-586: Request length 408.
__cmp_write()-921: Sent 408 bytes: pos=0, len=408
__cmp_read()-1010: Read 509 bytes.
__cmp_read()-1033: HTTP header: HTTP/1.1 200 OK

__parse_http_one_line()-981: HTTP result code 200.
__cmp_read()-1033: HTTP header: Date: Thu, 21 Nov 2024 11:52:14 GMT

__cmp_read()-1033: HTTP header: X-XSS-Protection: 1; mode=block

__cmp_read()-1033: HTTP header: X-Content-Type-Options: nosniff

__cmp_read()-1033: HTTP header: Referrer-Policy: strict-origin-when-cross-origin

__cmp_read()-1033: HTTP header: Permissions-Policy: fullscreen=(self)

__cmp_read()-1033: HTTP header: Connection: close

__cmp_read()-1033: HTTP header: Content-Type: application/pkixcmp

__cmp_read()-1033: HTTP header:

__cmp_read()-1098: Content length 244.
__cmp_read()-1107: Got the whole content.
__cmp_read()-1123: DONE for 'cmptest1', ret=0
__cmp_stop_connect()-1140:
__cmp_ctx_clean()-1306:
__cmp_ctx_destroy()-1323:

To stop the above debug commands, run the following commands:

diagnose debug disable

diagnose debug reset

In the above:

cmptest1 <----- Name to which the certificate will be stored on the FortiGate.
http://10.109.21.113:80 <----- IP and port of the FAC/CMP server.
/app/cert/cmp2 <----- Path to the service (do not change).
fac.root <----- The root CA certificate name as imported on FortiGate, often known as CA_Cert_1 or higher numbers
fgt100f <----- The profile name (Enrollment ID): the name of the template in Certificate Enrollment.
fortinet1 <----- Password: configured in Certificate Enrollment.
CN=fgt100f.local <----- Certificate subject or complete distinguished name (DN).

FortiAuthenticator CMP debug output can be viewed on the Debug page -> Others -> SCEP/CMP. Debug needs to be enabled beforehand by selecting 'Enter debug mode'.

The request is successfully processed by the FortiAuthenticator and the certificate is signed.

The successful or failed certificate signing request can also be viewed under the FortiAuthenticator GUI -> Log Access -> Log Access -> Logs.

Additional troubleshooting is possible if the CMP request is made over an unencrypted HTTP port 80. Packet capture on FortiAuthenticator CLI can be generated with:

execute tcpdumpfile -i any port 80

Reproduce the process, stop the capture with CTRL-C and download it at https://fac-ip/debug/pcap-dump 
Example of a successful certificate signing request:

Initial signing request:

Certificate signing request "CN=fgt100f.local" signed with CA certificate "CN=fac.cz.root"

Renewing signing request:

Certificate "CN=fgt100f.local" was renewed (DC:3D:D3:26:0D:9E:2D:9F)