Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎10-01-2025 11:44 AM Edited on ‎10-01-2025 12:17 PM

pkcs7 unwrap error when using scep

Hi FWB/FAC admins

  • FWB 7.4.9
  • FAC 6.4.10

I configured SCEP on FAC and my FGT works well with it.

However my FWB doesn't I get this error when I try to generate CSR: "pkcs7 unwrap error" (screenshot).

FAC says the request was properly received and we can see in Pending status in Enrollment Requests.

FWB doesn't keep the new key following the issue.

 

fwb_scep.png

 

 

Any idea?

AEK
AEK
Labels:
387
0 Kudos
7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Created on ‎10-03-2025 11:32 PM

Hello Abdelkrim,

 

I hope you are doing well :)!


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
343
0 Kudos
Anthony_E
Community Manager
Community Manager

Created on ‎10-06-2025 11:13 PM

Hello Abdelkrim,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
289
ebilcari
Staff
Staff

Created on ‎10-07-2025 12:31 AM

Is the enrollment set to automatic or manual and does it include the necessary options in 'Advanced Options: Key Usages'?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
283
AEK
SuperUser
SuperUser

Created on ‎10-07-2025 06:11 AM

Thanks Anthony and Emirjon

 

The enrollment is "Manual and Automatic". I also tested "Automatic" but didn't help.

I didn't touch the options under Key Usages, I just left them with their default values.

I think the issue is not from FAC side because as mentioned above the same SCEP config worked well with my FGT.

AEK
AEK
270
0 Kudos
ebilcari
Staff
Staff
In response to AEK

Created on ‎10-08-2025 01:30 AM

I haven't tested with default values, I always put these options manually:
keyUsage:
Digital Signature
extendedKeyUsage:
TLS Web Client Authentication, TLS Web Server Authentication

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
245
0 Kudos
lokatmo4
New Contributor

Created on ‎10-07-2025 06:58 AM

SCEP is much more secure, because the private key is generated on the device. On Windows devices that would be the TPM, on iOS in the Secure Enclave. It never leaves the device. With PKCS the private key goes around a lot more.

10.0.0.0.1 192.168.1.254
10.0.0.0.1 192.168.1.254
265
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎10-08-2025 03:06 PM

Hi Emirjon

Following more tests I could make it work with FWB but only after I manually create the enrollment on FAC. While for FGT the enrollment is automatically created on FAC.

When I try from FWB I get the following error is seen on FAC.

Message      SCEP PKCSReq: error creating a new manual enrollment request

Enrollment method is set to "Manual and Auto".

AEK
AEK
200
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.