FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Atul_S
Staff
Staff
Article Id 346971
Description This article explains how to select the key type and handle encryption when creating a Certificate Signing Request (CSR) using Simple Certificate Enrollment Protocol (SCEP) with Elliptic Curve Cryptography (ECC).
Scope FortiGate v7.0, v7.2 and v7.4.
Solution

In the world of cryptography, RSA and Elliptical Curve plays a vital role when it comes to public key encryption and key exchange.FortiGate allows to use of either of the key types to help generate a certificate request based on the application.

 

The steps can be widely broken down into stages as below:

 

  1. Certificate request creation.
  2. Key Generation.
  3. Certificate Validation.
  4. Issuance.
  5. Renewal.
  6. Revocation.

 

Elliptical Curve is less popular as compared to Rivest–Shamir–Adleman (RSA) in terms of small key size, efficiency, and cryptographic operation.

 

Since EC keys are not encryption capable as per RFC 8894, the underlaying mechanism to keep the message data encrypted is achieved by the 'CMS Key Trans Recipient Info Mechanism'.

 

When navigating through System > Certificates for generation of certificate requests with online SCEP, select Elliptical curve as the key type.

 

Since Elliptical curve cryptographic keys themselves cannot encrypt data, the Cryptographic Message Syntax mechanism is employed to encrypt the message in the certificate response.

This encryption process is part of the PKCS (Public Key Cryptography Standards) message creation, ensuring secure communication during certificate operations.

Contributors