FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
vraev
Staff
Staff
Article Id 254800
Description

 

This article describes how to configure Certificate Template with SCEP enrollment on FortiManager, using a FortiAuthenticator as an external Certificate Authority.

 

Scope

 

FortiManager 6.4 or above.

 

Solution

 

Create an external certificate template using FortiAuthenticator.

 

In FortiAuthenticator, enable SCEP under the relevant interface/s, Network -> Interface.

 

Configure a local CA under Certificate Management -> Certificate Authorities -> Local CAs.

 

vraev_0-1683023618648.png

 

Select the CA from step b) under the SCEP settings under Certificate Management -> SCEP -> General.

 

vraev_1-1683023666427.png

 

Create new Automatic 'Wildcard' Enrolment Request and fill in the required certificate information under Certificate Management -> SCEP -> Enrollment Requests.
In this example, the 'Company' field is set to ‘fortinet’, matching the 'Organization' field on the FortiManager side.

vraev_2-1683023733288.png

 

In FortiManager, create new Certificate Template under Device Manager -> Provisioning Templates -> Certificate Templates -> Create New.
CA Identifier is ROOTCA and Organization 'fortinet' in order to match the wildcard enrollment request on FortiAuthenticator.

vraev_3-1683023801946.png


To test, generate a new certificate for one of the devices under Device Manager -> Provisioning Templates -> Certificate Templates -> selecting 'testingcert' -> More -> Generate.

 

vraev_4-1683023875056.png

 

Check the newly created certificate on the device under Device Manager -> Device & Groups -> Managed FortiGate -> NAME(root) -> System -> Certificates.
It has a name matching the template name and the subject is always CN = <devicename>.<vdomname>. In this example -  CN=jokey-fmg-esx27.root

 

vraev_5-1683023959635.png

 

The approved request can be seen on the FortiAuthenticator side under Certificate Management -> SCEP -> Enrollment Requests.

 

vraev_7-1683024043281.png

 

The same information is also available in the FortiAuthenticator logs under Logging -> Log Access -> Logs.

 

vraev_8-1683024076863.png

 

vraev_9-1683024076864.png

 

Troubleshooting:

For troubleshooting the SCEP enrollment process, it is possible to temporarily set the FortiAuthenticator in HTTP mode, and then, use packet capture to view the communication between FortiManager and FortiAuthenticator.

Use the packet capturing options in the FortiManager GUI under System settings -> Network Interfaces -> Packet capture.

Or under CLI:


# diagnose sniffer packet any "host x.x.x.x and port 80" 3 0 a

 

The following debug commands from the FortiManager could provide additional information:

 

# diag deb application securityconsole 255

# diag debug service sys 255

# diag debug service task 255

# diag debug enable

 

After the test:

 

# diag debug disable

# diag debug reset

 

Error example:

 

vraev_11-1683026752174.png

 

More details on the error message can be found in FortiManager Task Monitor under System Settings -> Task Monitor.

 

View also the FortiAuthenticator logs under Log Access -> Logs.

In this case, a certificate with subject 'O=fortinet, CN=jokey-fmg-esx27.root' and issuer 'CN=ROOTCA' already exists and is not eligible for renewal.

 

 

vraev_12-1683026816376.png

 

Related documents:

Creating a local CA on FortiAuthenticator

Technical Tip: Enabling the self-service portal for certificate enrollment and password changes

Docs: Certificate templates

Docs: Packet capture

Contributors