Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
athirat
Staff
Staff

Created on ‎11-29-2024 04:55 AM

Article Id 361283

Technical Tip : How to generate a 3GPP certificate on FortiGate using FortiAuthenticator as the CMPv2 server

Description

This article describes how to use FortiAuthenticator as a CMPv2 server to rollout 3GPP certificates to FortiGates in SecGw for mobile network deployments.
Scope

FortiGate v6.2.x onwards, FortiAuthenticator v6.6.x onwards.
Solution

Find the steps below for setup :

 

On FortiAuthenticator :

 

  1. Go to 'Certificate Management -> CMP -> General' to enable CMPV2.

 

Once enabled, select a server certificate and setup the default enrollment password:

 

athirat_0-1732871505201.png

 

 

  1. Go to 'Network -> Interfaces' to enable CMP services under the interface on which FortiGate will be connecting:

 

Note: Can use HTTPS or HTTP - this example demonstrates TCP/80.

 

athirat_1-1732871720964.png

 

 

  1. Go to 'Certificate Management -> Local CAs' and set up a Local CA certificate which will be used for signing the requests.

 


athirat_3-1732872145616.png

 

 

  1. Go to 'Certificate Management -> CMP -> Enrollment Request' and create a new enrollment certificate with the request type set to '3GPP'.

 

Note: Device vendor CA certificate would be the CA signing the FortiGate authentication certificate. In this example, 'Fortinet_Factory' certificate will be used on FortiGate, so the Fortinet CA certificate is selected.

 

athirat_4-1732872396257.png

 

The enrolment request can be customized as per requirement by setting appropriate renewal period and selecting required key usages.

This will be seen in the 'Pending' status when created:

 

athirat_5-1732873222509.png

 

On FortiGate:

 

 

  1. Import the FortiAuthenticator server certificate under 'Remote Certificate':

 

config certificate remote

# edit G_REMOTE_Cert_1

(G_REMOTE_Cert_1) # get
name : G_REMOTE_Cert_1
remote :
Subject: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = Fortiauthenticator, CN = Default-Server-Certificate-D01CBD01
.....

 

 

  1. The IR syntax on FortiGate is as follows:

 

execute vpn certificate local generate cmp <local name> <key size> <server-address:port> <path> <SrvCert> <AuthCert> <username> <password> 

 

In this example:

 

execute vpn certificate local generate cmp SecGW-cert 2048 10.5.145.56:80 /app/cert/cmp2/ G_REMOTE_Cert_1 Fortinet_Factory

Certificate CMP IR started, Please check it in a while

 

Successfully issued:

 

config certificate local

    edit SecGW-cert

        get

        name : SecGW-cert
        password : *
        comments :
        private-key :
        certificate :
        Subject: CN = FG481FTK1111111.unknown.com
        Issuer: O = test, OU = SECGW, CN = FAC

        .

        .
        state :
        range : global
        source : user
        source-ip : 0.0.0.0
        ike-localid-type : asn1dn
        enroll-protocol : cmpv2
        cmp-server : 10.5.145.56
        cmp-path : /app/cert/cmp2/
        cmp-server-cert : G_REMOTE_Cert_1
        cmp-regeneration-method: keyupate
        auto-regenerate-days: 0
        auto-regenerate-days-warning: 0

       

Troubleshooting:

 

On FortiGate - the process can be tracked using CMP debugs below or by running sniffers to FortiAuthenticator IP:

 

diag debug reset

diag debug app cmp 255

diag debug en

 

In captures on filtering CMP:

 

athirat_6-1732874490387.png

 

On FortiAuthenticator - debugs are available on Debug page -> Others -> SCEP/CMP.
101
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.