Description
The article describes how to resolve SCEP GetCA: An error occurred while trying to find the requested CA certificate with id: CAIdentifier while generating a certificate on a FortiGate using a FortiAuthenticator as an external Certificate Authority.
Scope
FortiAuthenticator, FortiGate.
Solution
The following article describes how to enable SCEP in FortiAuthenticator as an external Certificate Authority and generate a CSR in FortiGate:
Technical Tip: Certificate Template with SCEP enrollment using FortiAuthenticator as external CA
Technical Tip: FortiGate Certificate enrollment using SCEP
However, the enrollment of certificates using SCEP can fail due to this error: 'SCEP GetCA: An error occurred while trying to find the requested CA certificate with id: CAIdentifier'.
The details of the mentioned error can be found in https://<Fortiauthenticator ip or fqdn>/debug -> Others -> SCEP/CMP and select Enter debug mode.
2025-05-04T21:40:43.533948+03:00 fac scepd[16706]: mo_pkcs7unwrap.cpp:255: got 694 bytes of decrypted data
2025-05-04T21:40:43.533978+03:00 fac scepd[16706]: mo_pkcs7unwrap.cpp:542: decoding X509_REQ
2025-05-04T21:40:43.534477+03:00 fac scepd[16706]: mo_handle_pki_op.cpp:284: message with transaction id 6F6DC68C22DC9F9FE1A67570F0D6DD7EE50C8C1844FE196ED9F443D8766350B1
2025-05-04T21:40:43.534542+03:00 fac scepd[16706]: mo_handle_pki_op.cpp:285: sender is /O=Fortinet/CN=192.168.20.115
2025-05-04T21:40:43.534613+03:00 fac scepd[16706]: mo_handle_pki_op.cpp:309: PKCSReq message received
2025-05-04T21:40:43.534720+03:00 fac scepd[16706]: mo_enroll.cpp:580: handling PKCSReq message
2025-05-04T21:40:43.537315+03:00 fac scepd[16706]: mo_get_enrollments.cpp:73: there are 1 pending enrollment(s)
2025-05-04T21:40:43.537370+03:00 fac scepd[16706]: mo_get_enrollments.cpp:467: checking pending enroll req (id=9) subject: /OU=Fortinet/CN=192.168.20.115
2025-05-04T21:40:43.539719+03:00 fac scepd[16706]: mo_get_enrollments.cpp:269: there are 0 revoked enrollment(s) that are eligible for renewal
2025-05-04T21:40:43.541428+03:00 fac scepd[16706]: mo_get_enrollments.cpp:205: there are 0 approved enrollment(s) that are eligible for renewal
2025-05-04T21:40:43.541745+03:00 fac scepd[16706]: mo_get_enrollments.cpp:173: there are 0 pending wildcard enrollment(s)
2025-05-04T21:40:43.542420+03:00 fac scepd[16706]: mo_enroll.cpp:53: no existing enrollment is found for /O=Fortinet/CN=192.168.2.254 and manual enrollment is disabled
2025-05-04T21:40:43.542539+03:00 fac scepd[16706]: mo_cert_reply.cpp:86: preparing a failure reply of type FAILURE
2025-05-04T21:40:43.542576+03:00 fac scepd[16706]: mo_cert_reply.cpp:99: failure reason is BadRequest
2025-05-04T21:40:43.542725+03:00 fac scepd[16706]: mo_cert_reply.cpp:111: PKCS7 ready to return
2025-05-04T21:40:43.542780+03:00 fac scepd[16706]: mo_handle_pki_op.cpp:383:Status: 400 Bad Request
The error occurs if the Subject information does not match between the CSR in FortiGate and the enrollment request in FortiAuthenticator.
In the following example, the Subject information is mentioned as the host IP in FortiGate:
But the hostname is not mentioned in FortiAuthenticator's enrollment request.
To get this resolved, Sthe ubject information should match the CSR on the FortiGate and enrollment request in FortiAuthenticator, like below:
After correcting the subject information, the approved request can be seen on the FortiAuthenticator side under Certificate Management -> SCEP -> Enrollment Requests.
The successful approval of Certificate Enrollment is also available in FortiAuthenticator logs under Logging -> Log Access -> Logs.
Related documents:
Creating a local CA on FortiAuthenticator
Technical Tip: Enabling the self-service portal for certificate enrollment and password changes
