Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AndreVorster
New Contributor

Created on ‎03-06-2012 12:46 AM

SCEP certificate enrollment failed

Hi I am trying to enable cert based authentication for SSL VPN on my 60C running 4mr2 Problem is I am getting SCEP certificate enrollment failed. What is the debug command to debug this as I need to figure out if the problem is on the SCEP server (Windows 2008) or on the FW. Regards
10911
0 Kudos
4 REPLIES 4
alexlev2004
New Contributor

Created on ‎09-11-2014 02:48 AM

Hello Andre and All, I am having the same issue without ability to understand what' s wrong. Tried to play with different parameters and RTFM the http://docs-legacy.fortinet.com/fgt/sysadmin/fortios_certificate_management.pdf etc. I am using FortiWifi 60C (as Andre did), 4.0 MR3 patch 18 (updated just to check this issue). How this issue can be debugged/worked around? Anyone can approve it is working in this release/product ? Thank you! Alex
Alex Levit
Alex Levit
Preview file
48 KB
3217
0 Kudos
Jeff_FTNT
Staff
Staff

Created on ‎09-11-2014 11:35 AM

For Windows 2008 server, it force to use HTTPS for certificate request/sign. Try use HTTPS URL for SCEP: https://scep.win8.com/certsrv/mscep/mscep.dll FGT use FQDN and check and match its CN=scep.win8.com on Windows 2008 server certificate
3217
0 Kudos
alexlev2004
New Contributor

Created on ‎09-13-2014 08:02 AM

Thanks Jeff_FTNT, Finally found that there was a mix of problems. After resolving, it worked with HTTP and windows server 2008R2. I need to say that it is still open question how to trouble shoot such problems while you always get same error response for all cases with no events logged. Another problem is that I see in CLI reference commands does not actually working in the device (neither in WEB GUI): From the CLI reference of 4.3 page 614: config vpn certificate local edit <cert_name> set auto-regenerate-days <days_int> set auto-regenerate-days-warning <days_int> end I attached the help given by device and is not recognizing these commands... I want to set the device to issue a request automatically before certificate expires and sign the request with still working certificate instead of challenge password. Any clue how to do it in CLI or WEB ? Thanks! Alex
Alex Levit
Alex Levit
Preview file
45 KB
3217
0 Kudos
Jeff_FTNT
Staff
Staff

Created on ‎09-16-2014 12:05 PM

It is CLI only feature. Input " scep-url" firstly, then those two options will show up. Make sure your SCEP server did not use " dynamic challenge password" ########## config vpn certificate local edit " test" set password ENC kOIXR342rohOFY1PdpNl1ZQYkJ/wz9ZpyDnO7BmMwm3vg2DIi/OLKBpT2Q3augLK1R1z2f5nGfvrdA1RyGJ6x0YkqizWaxMjkyWWs4tmv1+TNUsmjB6cVlmx5G9os6Vp7Yw8dtFxQJdajktsTbAhMej7YCA1vncq5QPjHjItGTjGmTbNH3UVd7nXTLyFRMKK6dm5Hg== set scep-url " http://172.18.5.59/cert/scep" set auto-regenerate-days-warning 30 set scep-password ENC hDOfXfu29zpan6dSfuE7M3y4WSrY4OF8umIdcJ3XH/C4CWjLlwz1AJuGBqLwZ5NFN4cPkYJP/SSDzJiZK862D9EhSl1tDruhJ1Q7B1efshe30LjsC96XzHgnx2H8OrE+ifCGNSTWStdOSM1aEmtxTrHMITzNt3c447JTRREYMc3FkATRGb1xip3/Ip/dqNshzeOTKw== next end
3216
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.