Hi FWB/FAC admins
I configured SCEP on FAC and my FGT works well with it.
However my FWB doesn't I get this error when I try to generate CSR: "pkcs7 unwrap error" (screenshot).
FAC says the request was properly received and we can see in Pending status in Enrollment Requests.
FWB doesn't keep the new key following the issue.
Any idea?
Hello Abdelkrim,
I hope you are doing well :)!
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello Abdelkrim,
We are still looking for someone to help you.
We will come back to you ASAP.
Thanks,
Is the enrollment set to automatic or manual and does it include the necessary options in 'Advanced Options: Key Usages'?
Thanks Anthony and Emirjon
The enrollment is "Manual and Automatic". I also tested "Automatic" but didn't help.
I didn't touch the options under Key Usages, I just left them with their default values.
I think the issue is not from FAC side because as mentioned above the same SCEP config worked well with my FGT.
I haven't tested with default values, I always put these options manually:
keyUsage:
Digital Signature
extendedKeyUsage:
TLS Web Client Authentication, TLS Web Server Authentication
SCEP is much more secure, because the private key is generated on the device. On Windows devices that would be the TPM, on iOS in the Secure Enclave. It never leaves the device. With PKCS the private key goes around a lot more.
Hi Emirjon
Following more tests I could make it work with FWB but only after I manually create the enrollment on FAC. While for FGT the enrollment is automatically created on FAC.
When I try from FWB I get the following error is seen on FAC.
Message SCEP PKCSReq: error creating a new manual enrollment request
Enrollment method is set to "Manual and Auto".
| User | Count |
|---|---|
| 2691 | |
| 1412 | |
| 810 | |
| 711 | |
| 455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.