FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to obtain a certificate using SCEP enrollment with a specific source IP on a FortiGate device.
Scope
FortiGate.
Solution
In some cases, when an SCEP server is accessed over IPsec or when an ACL is configured on it, it may be necessary to specify the source IP on the FortiGate.
With the current implementation on FortiGate, the only way to specify the source IP for SCEP enrollment requests is through the following CLI command:
execute vpn certificate local generate rsa <Local certificate name> <Key size> <Subject> <Country name/code> <State/Province> <City> <Organisation> <Unit> <Email> <SAN> <URL of the CA server signing via SCEP> <Challenge Password> <Source IP>
For example:
execute vpn certificate local generate rsa LAB_Cert 4096 tac.lab.ott CA ON Ottawa Fortinet TAC example@fortinet.com DNS:tac.lab.ott scep.tac.lab/certsrv/mscep/mscep.dll password 10.1.1.1
