Hi all,
i am trying to get a certificate for a cmp client from the FAC (6.6.0).
In beforehand i
This the command:
openssl cmp -cmd ir -server http://192.168.1.99/app/cert/cmp2/ -subject /C=Country/ST=State/L=City/O=Company/CN=PFC200/emailAddress=placeholder@company.com -newkey key.pem -certout cert.pem
The problem is, that the cmp client throws the following error:
CMP info: sending IR
CMP info: received ERROR
CMP error: missing protection
I could not find any hints as to how i can resolve the error/what the reason is. Unfortunately i cannot see any log entries in the logs of the FAC to further investigate. A capture from the answer of the cmp server on the FAC in wireshark shows the following:
Therefore i tried many versions of the abovehand command by
The only fitting thing i could find regarding the "bad request" error was on this website https://docs.keyfactor.com/ejbca/latest/cmp-error-messages
"Submitting a CMP client mode enrollment request with invalid certificate extensions specified."
I tried changing the file extensions from -certout cert.pem to .crt or .cer with no success.
So what exactly is meant by the missing protection ?
The whole point of enrolling with the FAC is a scenario in which the devices dont know each other beforehand.
Thanks in advance and kr
marv
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Marv2,
Thank you for using the Community Forum.
Please check the following:
1) From FAC
https://<FAC IP/domain>/debug > Others > SCEP/CMP > enable debug mode
Simulated the issue and check what is the message showing in the debug mode.
* please Exit debug mode after completed.
2) Ensure you do enable http and CMP services on incoming interface
System > Network >Interfaces > [interface] > Access Rights
Thanks
Hello Marv2,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hello Marv2,
Thank you for using the Community Forum.
Please check the following:
1) From FAC
https://<FAC IP/domain>/debug > Others > SCEP/CMP > enable debug mode
Simulated the issue and check what is the message showing in the debug mode.
* please Exit debug mode after completed.
2) Ensure you do enable http and CMP services on incoming interface
System > Network >Interfaces > [interface] > Access Rights
Thanks
Thanks, I was able to sort out the problem. In the end I managed to get a certificate by creating an enrollment request on the FAC and the following command on the client
openssl cmp -cmd ir -server http://192.168.1.99/app/cert/cmp2 -ref <ref_from_enrollment_request> -subject /C=xx/ST=xx/L=xx/O=xx/CN=xx/emailAddress=xx@xx.com -secret pass:<password_from_enrollment_request> -newkey key.pem -certout cert.pem
Replace the password, ref and the fields of the DN with the parameters that have been given in the ER in the FAC.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1665 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.