Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
IO
Staff
Staff

Created on ‎11-28-2025 07:50 AM

Article Id 420924

Technical Tip: Certificate renewal for Certificate Template with SCEP enrollment deployments

Description

 

This article describes how to configure certificate renewal in deployments, where FortiManager's 'Certificate Template' was used with SCEP enrolment.

 

Scope

 

FortiManager, FortiGate.

 

Solution

 

By default, when a certificate enrolment is configured via FortiManager 'Certificate Template', as explained in Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA: there is no renewal related configuration added.

 

As a result, when the certificate is going to expire, the administrator can either re-run the enrolment process on FortiManager manually (or manually import the renewed certificate directly to the FortiGate), or rely on an automatic process with SCEP protocol usage.

 

To use SCEP-based renewal, add the following configuration as a CLI template or directly to the FortiGate:

 

config vpn certificate local
    edit <name>
        set scep-url "http://<IP_ADDRESS>/app/cert/scep/"
        set enroll-protocol scep
        set auto-regenerate-days 7
        set auto-regenerate-days-warning 14
        set scep-password <passwd>
    next
end

 

Note: 

During first enrolment via Certificate Template, the certificate is pushed through fgfm tunnel. But for further renewals, FortiGate must have allowed direct SCEP communication with CA server, because FortiManager doesn't participate in the process anymore.

 

To change routing behavior for the SCEP flow, adjust the decision making method and source IP, if needed:

 

FGT# config vpn certificate setting
    set interface-select-method [auto|specify|sdwan]
end

FGT# config vpn certificate local
    edit <name>
        set source-ip
    end

 

Troubleshooting: 

 

To troubleshoot certificate renewal over the SCEP protocol, check SCEP and FortiCron daemons' outputs.

 

For SCEP debugging:

 

FGT# diagnose debug application scep 255

 

For FortiCron testing:

 

FGT# diagnose test application forticron 2

Name-FAC_SCEP: type=local, realm=global, days=2, days_warn=2, source=0.0.0.0, warning_logged=1
        scep=http://10.5.149.111/app/cert/scep/
        warning_time=2025-11-24 19:57:32
GUI SSL cert timer: 76433, total_updates: 1, last_updated: Tue Oct 28 02:42:35 2025

 

For FortiCron debugging:

 

FGT# diagnose debug application forticron 255
FGT# diagnose debug enable

fcron_timer_func()-25: Timer cert_upd fired
fcron_update_timer_func()-342: 
__check_exp_date()-247: check cert-FAC_SCEP, vfid 0, is_global 1
cert_update_auto_gen_info()-362: cert FAC_SCEP expires at 2025-11-27 03:57:32  GMT
__local_scep_auto_regenerate()-97: Auto regenerate certificate-FAC_SCEP, vfid-0, global-1.
fcron_start_cert_scep()-824: 
scep_cert_init()-764: Hostname: 10.5.149.111
scep_cert_init()-765: Directory: /app/cert/scep/
scep_cert_init()-766: Port: 80(http)
scep_cert_init()-784: cert&pkey loaded using FAC_SCEPVDOM0
fcron_start_cert_scep()-858: Added and Start cert FAC_SCEP
scep_start()-743: resolve 10.5.149.111
scep_resolv_cb()-736: IP of scep-10.5.149.111 is 10.5.149.111
scep_start_connect()-682: 
fcron_cert_bind_interface()-784: 
fcron_cert_bind_interface()-790: bind to interface 0 for 0.0.0.0->10.5.149.111.
fcron_timer_func()-32: Timer cert_upd done
fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a5470 epoll events 0x04
scep_connect()-658: 
scep_connect()-668: SCEP connection(10.5.149.111) started. socket: 25
fcron_epoll_after_handle()-280: AFTER WRITE ret 0
fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a51e0 epoll events 0x04
scep_rxtx()-593: state 0
cert_buf_realloc()-124: new size 2048
scep_rxtx()-640: new event EPOLLIN
fcron_epoll_after_handle()-280: AFTER WRITE ret 0
fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01
scep_rxtx()-593: state 1
scep_recv()-509: read 1449 bytes: pos=0, len=2048
fcron_epoll_after_handle()-277: AFTER READ ret 0
fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01
scep_rxtx()-593: state 1
scep_check_payload_size()-311: received the header from server: 10.5.149.111:80
[HTTP/1.1 200 OK
Date: Mon, 24 Nov 2025 11:31:35 GMT
Content-Length: 1188
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: fullscreen=(self)
Connection: close
Content-Type: application/x-x509-ca-cert
]
find_content_length()-273: content-length 1188
scep_recv()-519: data: pos=1188, sz=2048, content-length=1188
scep_recv()-527: got CA, re-connecting the host. send PKCSREQ request
scep_stop_connect()-152: 
scep_start_connect()-682: 
fcron_cert_bind_interface()-784: 
fcron_cert_bind_interface()-790: bind to interface 0 for 0.0.0.0->10.5.149.111.
fcron_epoll_after_handle()-277: AFTER READ ret 0
fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a5470 epoll events 0x04
scep_connect()-658: 
scep_connect()-668: SCEP connection(10.5.149.111) started. socket: 25
fcron_epoll_after_handle()-280: AFTER WRITE ret 0
fcron_epoll_before_handle()-264: BEFORE WRITE fd 25 handle event 0x04 write 0x55f0ad0a51e0 epoll events 0x04
scep_rxtx()-593: state 2
build_cert_request()-204: 
cert_buf_realloc()-124: new size 9678
scep_rxtx()-640: new event EPOLLIN
fcron_epoll_after_handle()-280: AFTER WRITE ret 0
fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01
scep_rxtx()-593: state 3
scep_recv()-509: read 283 bytes: pos=0, len=9678
fcron_epoll_after_handle()-277: AFTER READ ret 0
fcron_epoll_before_handle()-260: BEFORE READ fd 25 handle event 0x01 read 0x55f0ad0a51e0 epoll events 0x01
scep_rxtx()-593: state 3
scep_check_payload_size()-311: received the header from server: 10.5.149.111:80
[HTTP/1.1 200 OK
Date: Mon, 24 Nov 2025 11:31:35 GMT
Content-Length: 25
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: fullscreen=(self)
Connection: close
Content-Type: application/x-pki-message
]
find_content_length()-273: content-length 25
scep_recv()-519: data: pos=25, sz=9678, content-length=25
scep_handle_cert_reply()-404: unwrap cert reply
scep_recv()-554: SCEP request is failed
scep_stop()-193: 
scep_stop_connect()-152: 
scep_cleanup()-168: scep_cleanup, state 3, name FAC_SCEPVDOM0, vfid 0, is_global 1.
fcron_epoll_after_handle()-277: AFTER READ ret 0
fcron_timer_func()-23: Timer traf_his fired
fcron_timer_func()-32: Timer traf_his done

  

Related articles: 

Technical Tip: Certificate Template with SCEP enrollment, using FortiAuthenticator as external CA 

Technical Tip: FortiGate Certificate enrollment and renewal using SCEP 

217
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.