Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

pkcs7 unwrap error when using scep

Hi FWB/FAC admins

  • FWB 7.4.9
  • FAC 6.4.10

I configured SCEP on FAC and my FGT works well with it.

However my FWB doesn't I get this error when I try to generate CSR: "pkcs7 unwrap error" (screenshot).

FAC says the request was properly received and we can see in Pending status in Enrollment Requests.

FWB doesn't keep the new key following the issue.

 

fwb_scep.png

 

 

Any idea?

AEK
AEK
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello Abdelkrim,

 

I hope you are doing well :)!


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello Abdelkrim,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
ebilcari
Staff
Staff

Is the enrollment set to automatic or manual and does it include the necessary options in 'Advanced Options: Key Usages'?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
AEK
SuperUser
SuperUser

Thanks Anthony and Emirjon

 

The enrollment is "Manual and Automatic". I also tested "Automatic" but didn't help.

I didn't touch the options under Key Usages, I just left them with their default values.

I think the issue is not from FAC side because as mentioned above the same SCEP config worked well with my FGT.

AEK
AEK
ebilcari

I haven't tested with default values, I always put these options manually:
keyUsage:
Digital Signature
extendedKeyUsage:
TLS Web Client Authentication, TLS Web Server Authentication

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
lokatmo4
New Contributor

SCEP is much more secure, because the private key is generated on the device. On Windows devices that would be the TPM, on iOS in the Secure Enclave. It never leaves the device. With PKCS the private key goes around a lot more.

10.0.0.0.1 192.168.1.254
AEK
SuperUser
SuperUser

Hi Emirjon

Following more tests I could make it work with FWB but only after I manually create the enrollment on FAC. While for FGT the enrollment is automatically created on FAC.

When I try from FWB I get the following error is seen on FAC.

Message      SCEP PKCSReq: error creating a new manual enrollment request

Enrollment method is set to "Manual and Auto".

AEK
AEK
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors