Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
seyuboglu
Staff
Staff

Created on ‎08-04-2025 03:03 AM

Article Id 404520

Troubleshooting Tip: How to troubleshoot auto-enrollment for Eliptic Curve certificate using SCEP is not working error: Couldn't read inner PKCS#7

Description This article outlines an issue with auto-enrollment for ECC certificate using SCEP failing due to an error: Couldn't read inner PKCS#7.
Scope FortiGate version 7.4.6.
Solution

This issue presents when configuring auto-enrollment for an Elliptic Curve certificate using Simple Certificate Enrollment Protocol (SCEP). 

The command works for RSA, but does not work as expected when using EC (Elliptic Curve).

 

An example is below :

 

FortiGate# execute vpn certificate local generate ec TEST secp384r1 test.it@company.com

 

**Parameters**:
- `<cert_name>`: Specify the certificate name.
- `<curve_name>`: For EC, specify the elliptic curve name. (secp256r1, secp384r1 and secp521r1) 
- `<subject>`: Specify the subject (Host-IP/Domain Name/E-Mail).
- `<country name>`, `<state>`, `<city>`, `<org>`, `<Units>`, `<email>`: Optional fields for additional certificate details.
- `<subject_alter_name>`: Optional subject alternative name.
- `<URL>`: Specify the URL.
- `<challenge>`: Optional challenge password.

 

The command fails with the error: 'Couldn't read inner PKCS#7'.

 

2025-03-27 16:22:52 __scep_get_ca_cert: starting sscep, version 20030417
2025-03-27 16:22:52 __scep_get_ca_cert: hostname: test.it@company.com
2025-03-27 16:22:52 __scep_get_ca_cert: directory: /certsrv/mscep/
2025-03-27 16:22:52 __scep_get_ca_cert: port: 80(http)
2025-03-27 16:22:52 __get_ca_cert_req: SCEP_OPERATION_GETCA
2025-03-27 16:22:52 __get_ca_cert_req: requesting CA certificate, msg: GET /certsrv/mscep/?operation=GetCACert&message=CAIdentifier HTTP/1.0
Host: test.it@company.com
Connection: close

2025-03-27 16:22:52 __send_recv: dest ip X.X.X.X, port 80, use_ssl 0, source_ip 0.0.0.0
2025-03-27 16:22:52 __send_recv: tcps_read 2048
2025-03-27 16:22:52 __send_recv: content-length: 7678
2025-03-27 16:22:52 __send_recv: tcps_read 5800
2025-03-27 16:22:52 scep_parse_header: server returned status code 200
2025-03-27 16:22:52 scep_parse_header: MIME header: application/x-x509-ca-ra-cert
2025-03-27 16:22:52 __send_recv: set payload 7678 bytes
2025-03-27 16:22:52 __get_ca_cert_req: valid response from server
2025-03-27 16:22:52 __process_ca_cert_reply: Reply type 3
2025-03-27 16:22:52 __get_ca_ra: loaded pkcs7
2025-03-27 16:22:52 __get_ca_ra: found 4 certs
2025-03-27 16:22:52 __get_ca_ra: skip non-CA cert 0
2025-03-27 16:22:52 __get_ca_ra: skip non-CA cert 1
2025-03-27 16:22:52 scep_write_cert: certificate written as /tmp/tmp_vpn_cert
2025-03-27 16:22:52 __get_ca_ra: done cert 2
2025-03-27 16:22:52 scep_write_cert: certificate written as /tmp/tmp_vpn_cert
2025-03-27 16:22:52 __get_ca_ra: done cert 3
2025-03-27 16:22:52 __get_ca_ra: done all certs
2025-03-27 16:22:52 scep_parse_header: server returned status code 200
2025-03-27 16:22:52 scep_parse_header: MIME header: application/x-x509-ca-ra-cert
2025-03-27 16:22:52 __process_ca_cert_reply: Reply type 3
2025-03-27 16:22:52 __get_ca_ra: loaded pkcs7
2025-03-27 16:22:52 __get_ca_ra: found 4 certs
2025-03-27 16:22:52 __read_ca_cert_cb: loaded signing cert
2025-03-27 16:22:52 __get_ca_ra: done cert 0
2025-03-27 16:22:52 __read_ca_cert_cb: loaded encipher cert
2025-03-27 16:22:52 __get_ca_ra: done cert 1
2025-03-27 16:22:52 __read_ca_cert_cb: loaded CA
2025-03-27 16:22:52 __get_ca_ra: done cert 2
2025-03-27 16:22:52 __read_ca_cert_cb: loaded CA
2025-03-27 16:22:52 __get_ca_ra: done cert 3
2025-03-27 16:22:52 __get_ca_ra: done all certs
2025-03-27 16:22:52 new_scep_transaction: transaction id: B0742E9165293344556450F2439F395631778CF28FF8A7A58FE6544A908ADA8FB2B6B9
2025-03-27 16:22:52 pkcs7_wrap:1116 creating inner PKCS#7
2025-03-27 16:22:52 pkcs7_wrap: data payload size: 527 bytes
2025-03-27 16:22:52 pkcs7_wrap: successfully encrypted payload
2025-03-27 16:22:52 pkcs7_wrap: envelope size: 1340 bytes
2025-03-27 16:22:52 pkcs7_wrap: creating outer PKCS#7
2025-03-27 16:22:52 pkcs7_wrap: signature added successfully
2025-03-27 16:22:52 pkcs7_wrap: adding signed attributes
2025-03-27 16:22:52 __add_attribute_string: adding string attribute transId
2025-03-27 16:22:52 __add_attribute_string: adding string attribute messageType
2025-03-27 16:22:52 __add_attribute_octet: adding octet attribute senderNonce
2025-03-27 16:22:52 pkcs7_wrap: PKCS#7 data written successfully
2025-03-27 16:22:52 pkcs7_wrap: applying base64 encoding
2025-03-27 16:22:52 pkcs7_wrap: base64 encoded payload size: 3592 bytes
Global certificate SCEP Signing Request started. Please check it in a while.

ASHHUB # 2025-03-27 16:22:52 scep_parse_header: server returned status code 200
2025-03-27 16:22:52 scep_parse_header: MIME header: x-pki-message
2025-03-27 16:22:52 pkcs7_unwrap: reading outer PKCS#7
2025-03-27 16:22:52 pkcs7_unwrap: PKCS#7 payload size: 3415 bytes
2025-03-27 16:22:52 pkcs7_unwrap: PKCS#7 contains 2319 bytes of enveloped data
2025-03-27 16:22:52 pkcs7_unwrap: verifying signature
2025-03-27 16:22:52 pkcs7_unwrap: signature ok
2025-03-27 16:22:52 pkcs7_unwrap: finding signed attributes
2025-03-27 16:22:52 __get_attribute: finding attribute transId
2025-03-27 16:22:52 __get_signed_attribute: allocating 64 bytes for attribute
2025-03-27 16:22:52 pkcs7_unwrap: reply transaction id: C0334742E916529450F2439F395631778CF28FF8A7A58FfdE6544A908ADA8FB2B6B9
2025-03-27 16:22:52 __get_attribute: finding attribute messageType
2025-03-27 16:22:52 __get_signed_attribute: allocating 1 bytes for attribute
2025-03-27 16:22:52 pkcs7_unwrap: reply message type is good
2025-03-27 16:22:52 __get_attribute: finding attribute senderNonce
2025-03-27 16:22:52 __get_signed_attribute: allocating 16 bytes for attribute
2025-03-27 16:22:52 pkcs7_unwrap: senderNonce in reply: 2025-03-27 16:22:52 6D2025-03-27 16:22:52 912025-03-27 16:22:52 8E2025-03-27 16:22:52 3E2025-03-27 16:22:52 3A
2025-03-27 16:22:52 962025-03-27 16:22:52 DE2025-03-27 16:22:52 442025-03-27 16:22:52 902025-03-27 16:22:52 6B2025-03-27 16:22:52 622025-03-27 16:22:52 782025-03-27 1
6:22:52 DB2025-03-27 16:22:52 E72025-03-27 16:22:52 742025-03-27 16:22:52 AC2025-03-27 16:22:52
2025-03-27 16:22:52 __get_attribute: finding attribute recipientNonce
2025-03-27 16:22:52 __get_signed_attribute: allocating 16 bytes for attribute
2025-03-27 16:22:52 pkcs7_unwrap: recipientNonce in reply: 2025-03-27 16:22:52 0F2025-03-27 16:22:52 122025-03-27 16:22:52 522025-03-27 16:22:52 EA2025-03-27 16:22:52
5F2025-03-27 16:22:52 4A2025-03-27 16:22:52 342025-03-27 16:22:52 9B2025-03-27 16:22:52 3D2025-03-27 16:22:52 512025-03-27 16:22:52 B12025-03-27 16:22:52 6B2025-03-2
7 16:22:52 C72025-03-27 16:22:52 372025-03-27 16:22:52 CD2025-03-27 16:22:52 9A2025-03-27 16:22:52
2025-03-27 16:22:52 __get_attribute: finding attribute pkiStatus
2025-03-27 16:22:52 __get_signed_attribute: allocating 1 bytes for attribute
2025-03-27 16:22:52 pkcs7_unwrap: pkistatus: SUCCESS
2025-03-27 16:22:52 pkcs7_unwrap: reading inner PKCS#7
2025-03-27 16:22:52 Couldn't read inner PKCS#7

 

This is an issue reported in version 7.4.6 and above. It is currently fixed in version 8.0 & is pending fix in version 7.4.x.
266
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.