FortiAuthenticator CMP Server

Marv2 · ‎08-14-2024

Hi all,

i am trying to get a certificate for a cmp client from the FAC (6.6.0).

In beforehand i

generated a .pem keypair on the cmp client. (openssl genrsa -out key.pem 2048)
generated CA cert for FAC
generated server cert for cmp server on the FAC

This the command:

openssl cmp -cmd ir -server http://192.168.1.99/app/cert/cmp2/ -subject /C=Country/ST=State/L=City/O=Company/CN=PFC200/emailAddress=placeholder@company.com -newkey key.pem -certout cert.pem

The problem is, that the cmp client throws the following error:

CMP info: sending IR
CMP info: received ERROR
CMP error: missing protection

I could not find any hints as to how i can resolve the error/what the reason is. Unfortunately i cannot see any log entries in the logs of the FAC to further investigate. A capture from the answer of the cmp server on the FAC in wireshark shows the following:

It was not possible to enter the screenshot, but it also said "missing protection" and failinfo was "BadRequest" with the error code being 486539407

Therefore i tried many versions of the abovehand command by

adding -recipient (DN of the server)
creating an enrollment request on the FAC an passing the thereby generated passphrase (something like xpbftSv4) with -secret pass:xpbftSv4
passing a selfsigned certificate and its key on the client side instead of only a key
passing the -unprotected_requests flag

The only fitting thing i could find regarding the "bad request" error was on this website https://docs.keyfactor.com/ejbca/latest/cmp-error-messages

"Submitting a CMP client mode enrollment request with invalid certificate extensions specified."

I tried changing the file extensions from -certout cert.pem to .crt or .cer with no success.

So what exactly is meant by the missing protection ?

The whole point of enrolling with the FAC is a scenario in which the devices dont know each other beforehand.

Thanks in advance and kr

marv

FortiAuthenticator

btey · ‎08-21-2024

Hello Marv2,

Thank you for using the Community Forum.

Please check the following:

1) From FAC
https://<FAC IP/domain>/debug > Others > SCEP/CMP > enable debug mode

Simulated the issue and check what is the message showing in the debug mode.

* please Exit debug mode after completed.

2) Ensure you do enable http and CMP services on incoming interface

System > Network >Interfaces > [interface] > Access Rights

Thanks

BoonHau

View solution in original post

Jean-Philippe_P · ‎08-16-2024

Hello Marv2,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

Thanks,

Jean-Philippe - Fortinet Community Team

Jean-Philippe_P · ‎08-19-2024

Hello,

We are still looking for an answer to your question.

We will come back to you ASAP.

Thanks,

Jean-Philippe - Fortinet Community Team

btey · ‎08-21-2024

Hello Marv2,

Thank you for using the Community Forum.

Please check the following:

1) From FAC
https://<FAC IP/domain>/debug > Others > SCEP/CMP > enable debug mode

Simulated the issue and check what is the message showing in the debug mode.

* please Exit debug mode after completed.

2) Ensure you do enable http and CMP services on incoming interface

System > Network >Interfaces > [interface] > Access Rights

Thanks

BoonHau

Marv2 · ‎08-27-2024

Thanks, I was able to sort out the problem. In the end I managed to get a certificate by creating an enrollment request on the FAC and the following command on the client

openssl cmp -cmd ir -server http://192.168.1.99/app/cert/cmp2 -ref <ref_from_enrollment_request> -subject /C=xx/ST=xx/L=xx/O=xx/CN=xx/emailAddress=xx@xx.com -secret pass:<password_from_enrollment_request> -newkey key.pem -certout cert.pem

Replace the password, ref and the fields of the DN with the parameters that have been given in the ER in the FAC.

FortiAuthenticator CMP Server

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website