In order to automate certificate enrollment via SCEP for admin server certificate, it is necessary to follow these exact steps in order to have it enrolled successfully:

1. Have a SCEP server available configured to process the enrollment.

In this case, FortiAuthenticator is used. In order to make it available to process SCEP requests, SCEP has to be enabled on the interfaces handling SCEP enrollments.

2. Create a local CA on FortiAuthenticator:

Enable SCEP and set the default CA:

*in case Automatic enrollment method is selected, it is necessary to create an enrollment for each request.

3. Fetch CA from SCEP server.

On FortiGate, issue the following command to fetch the CA certificate from an SCEP server.

fgt (global) # execute vpn certificate ca import auto http://10.5.197.12/app/cert/scep/  
Done.

The certificate appears in the Remote CA section.

4. On FortiGate, create an admin server certificate enrollment request

fgt (global) # execute vpn certificate local generate rsa localcert 2048 localcert CZ ST L OU "" admin@cert.arpa "" http://10.5.197.12/app/cert/scep/ <enrollment password>

Global certificate SCEP Signing Request started. Please check it in a while.

• CZ = country
• ST = state
• L = city
• OU = organization
• admin@cert.arpa - email address

5. Approve enrollment on FortiAuthenticator (*unless Automatic enrollment is configured).

Approve the enrollment on FortiAuthenticator and select desired Key Usages - for example, Digital Signature, Key Encipherment, Server Authentication for the admin web server certificate.

6. Observe the certificate to become valid on FortiGate.

After a while (note that this is not immediate), the certificate will appear on the FortiGate as valid.

7. Set the certificate as the admin server certificate.

The last step is to set the certificate as the admin-server-cert on FortiGate, which can be done by issuing the following commands:

fgt (global) # config system global  
fgt (global) # set admin-server-cert localcert  
fgt (global) # end