Fortinet white logo
Fortinet white logo

Administration Guide

SCEP

SCEP

FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server that can sign user CSRs, and distribute CRLs and CA certificates. To use SCEP, you must:

  • Enable HTTP administrative access on the interface(s) connected to the Internet. See Interfaces.
    Note

    The recommended configuration for SCEP interfaces includes:

    • One dedicated interface for system administration which includes enforced IP address restriction on admin access.
    • One dedicated interface for service provisioning.
    • One dedicated interface for the HA heartbeat when configured in an HA cluster.

Users can request a user certificate through online SCEP, found at http://<FortiAuthenticator-IP-Address>/cert/scep.

General

As an administrator, you can allow FortiAuthenticator to either automatically sign the user’s certificate or alert you about the request for a signature.

To enable SCEP and configure general settings, go to Certificate Management > SCEP > General and select Enable SCEP.

Configure the following settings:

Default CA Select the default local CA to use from the dropdown menu.
Enrollment method

Select the enrollment method:

  • Automatic: The certificate is pre-approved by the administrator. The administrator enters the certificate information on FortiAuthenticator and gives the user a challenger password to use when submitting their request.
  • Manual and Automatic: The user submits the CSR, the request shows up as pending on FortiAuthenticator unit, then the administrator manually approves the pending request. Optionally, enter an email address to be informed of pending approval notifications.
Default enrollment password Enter the default enrollment password that is used when not setting a random password.
Revoke the old certificate on renewal Enable to revoke the old certificate after it is renewed.

Select OK to apply any changes you have made.

Enrollment requests

To view and manage certificate enrollment requests, go to Certificate Management > SCEP > Enrollment Requests.

Note that, before you can create or configure certificate enrollment requests, SCEP must be enabled, and HTTP access must be enabled on the network interface(s) that will serve SCEP clients (under System > Network > Interfaces).

The following information is available:

Create New Create a new certificate enrollment request.
Delete Delete the selected certificate enrollment request.
Approve or Reject Approve or reject the selected certificate enrollment request.
Method The enrollment method used.
Status The status of the enrollment: Pending, Approved, or Rejected.
Wildcard If it is a wildcard request, a green circle with a check mark is shown.
Issuer The issuer of the certificate.
Subject The certificate subject.
Renewable Before Expiry (days) The number of days before the certificate enrollment request expires that it can be renewed.
Updated at The date and time that the enrollment request was last updated.
To view the enrollment request details:
  1. From the enrollment request list, select a request by clicking within its row.
  2. Select Close to return to the enrollment request window.
To reset the enrollment request status:
  1. From the Certificate Enrollment Request window, select Did the client lose his/her certificate and key? The Reset enrollment request status? window opens.
  2. There are two methods to reset the enrollment request:
  • Manually remove the old enrollment request, revoke its certificate, then create a new enrollment request with exactly the same configuration and subject name as the old certificate.
  • Re-use the same enrollment request by resetting its status and then revoking the lost certificate (recommended).
  • To re-use the same enrollment request, select Yes, I’m sure.
  • To create a new certificate enrollment request:
    1. From the certificate enrollment requests list, select Create New.
    2. Enter the following information:
      Automatic request type Select the automatic request type, either Regular or Wildcard.
      Certificate Authority

      Select one of the available local CAs configured on FortiAuthenticator from the dropdown menu.

      The local CA must be valid and current. If it is not you will have to create or import a local CA certificate before continuing. See Certificate authorities.

      Subject Information
      Subject input methodSelect the subject input method, either Fully distinguished name or Field-by-field.
      Subject DN

      If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

      Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

      Name (CN)

      If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Automatic request type is set to Regular), and optionally enter the following fields:

      • Department (OU)
      • Company (O)
      • City (L)
      • State/Province (ST)
      • Country (C) (select from dropdown menu)
      • Email address
      Certificate Signing Options
      Validity period

      Select the amount of time before this certificate expires.

      Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

      Hash algorithmSelect the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.
      Challenge Password
      Password creationSelect to either set a random password, or use the default enrollment password (see Default enrollment password).
      Challenge password distribution

      Select the challenge password distribution method. This option is only available if Password creation is set to Set a random password.

      • Display: Display the password on the screen.
      • SMS: Send the password to a mobile phone. Enter the phone number in the Mobile number field and select an SMS gateway from the dropdown menu.
      • Email: Send the password to the email address entered in the email field.
      Renewal

      To allow renewals, select Allow renewal, then enter the number of days before the certificate expires (minimum of one day).

      When renewal is enabled, you can optionally either allow or reject SCEP renewal requests for expired and revoked certificates (as burst renewal requests from FortiGate devices could exhaust the FortiAuthenticator and create duplicate certificates), and either allow or reject SCEP renewal requests signed using the old private key.

      Subject Alternative Name

      SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

      This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).

      EmailEnter the email address of a user to map to this certificate.
      User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    3. Optionally, apply key usage attributes.

      Advanced Options: Key Usages

      Key Usages

      Key usage attributes identify the purpose(s) of a certificate's key. Some applications require the explicit presence of attributes before the certificate will be accepted for use. When an entity contains multiple certificates or keys, key usage attributes can also be used to identify which is the correct certificate or key to use.

      When the Critical option is enabled, the certificate can only be used for the purposes indicated by the selected attributes, and attempting to use the certificate for other purposes results in a CA policy violation.

      For detailed information about key usage attributes, see End entities.

      Extended Key Usages

      Extended Key Usages provides an extended list of selectable attributes.

      The Critical option can also be applied to extended key usage attributes. When the Critical option is applied to both key usage and extended key usage attributes, only certificates that are consistent with both fields are accepted.

      For detailed information about extended key usage attributes, see End entities.

    4. Select OK to create the new certificate enrollment request.

      When created, the request will have a Status of Pending. A code is displayed which must be provided to the client as a challenge password for the automatic certificate enrollment process.

    SCEP

    SCEP

    FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server that can sign user CSRs, and distribute CRLs and CA certificates. To use SCEP, you must:

    • Enable HTTP administrative access on the interface(s) connected to the Internet. See Interfaces.
      Note

      The recommended configuration for SCEP interfaces includes:

      • One dedicated interface for system administration which includes enforced IP address restriction on admin access.
      • One dedicated interface for service provisioning.
      • One dedicated interface for the HA heartbeat when configured in an HA cluster.

    Users can request a user certificate through online SCEP, found at http://<FortiAuthenticator-IP-Address>/cert/scep.

    General

    As an administrator, you can allow FortiAuthenticator to either automatically sign the user’s certificate or alert you about the request for a signature.

    To enable SCEP and configure general settings, go to Certificate Management > SCEP > General and select Enable SCEP.

    Configure the following settings:

    Default CA Select the default local CA to use from the dropdown menu.
    Enrollment method

    Select the enrollment method:

    • Automatic: The certificate is pre-approved by the administrator. The administrator enters the certificate information on FortiAuthenticator and gives the user a challenger password to use when submitting their request.
    • Manual and Automatic: The user submits the CSR, the request shows up as pending on FortiAuthenticator unit, then the administrator manually approves the pending request. Optionally, enter an email address to be informed of pending approval notifications.
    Default enrollment password Enter the default enrollment password that is used when not setting a random password.
    Revoke the old certificate on renewal Enable to revoke the old certificate after it is renewed.

    Select OK to apply any changes you have made.

    Enrollment requests

    To view and manage certificate enrollment requests, go to Certificate Management > SCEP > Enrollment Requests.

    Note that, before you can create or configure certificate enrollment requests, SCEP must be enabled, and HTTP access must be enabled on the network interface(s) that will serve SCEP clients (under System > Network > Interfaces).

    The following information is available:

    Create New Create a new certificate enrollment request.
    Delete Delete the selected certificate enrollment request.
    Approve or Reject Approve or reject the selected certificate enrollment request.
    Method The enrollment method used.
    Status The status of the enrollment: Pending, Approved, or Rejected.
    Wildcard If it is a wildcard request, a green circle with a check mark is shown.
    Issuer The issuer of the certificate.
    Subject The certificate subject.
    Renewable Before Expiry (days) The number of days before the certificate enrollment request expires that it can be renewed.
    Updated at The date and time that the enrollment request was last updated.
    To view the enrollment request details:
    1. From the enrollment request list, select a request by clicking within its row.
    2. Select Close to return to the enrollment request window.
    To reset the enrollment request status:
    1. From the Certificate Enrollment Request window, select Did the client lose his/her certificate and key? The Reset enrollment request status? window opens.
    2. There are two methods to reset the enrollment request:
    • Manually remove the old enrollment request, revoke its certificate, then create a new enrollment request with exactly the same configuration and subject name as the old certificate.
    • Re-use the same enrollment request by resetting its status and then revoking the lost certificate (recommended).
  • To re-use the same enrollment request, select Yes, I’m sure.
  • To create a new certificate enrollment request:
    1. From the certificate enrollment requests list, select Create New.
    2. Enter the following information:
      Automatic request type Select the automatic request type, either Regular or Wildcard.
      Certificate Authority

      Select one of the available local CAs configured on FortiAuthenticator from the dropdown menu.

      The local CA must be valid and current. If it is not you will have to create or import a local CA certificate before continuing. See Certificate authorities.

      Subject Information
      Subject input methodSelect the subject input method, either Fully distinguished name or Field-by-field.
      Subject DN

      If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.

      Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.

      Name (CN)

      If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Automatic request type is set to Regular), and optionally enter the following fields:

      • Department (OU)
      • Company (O)
      • City (L)
      • State/Province (ST)
      • Country (C) (select from dropdown menu)
      • Email address
      Certificate Signing Options
      Validity period

      Select the amount of time before this certificate expires.

      Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.

      Hash algorithmSelect the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.
      Challenge Password
      Password creationSelect to either set a random password, or use the default enrollment password (see Default enrollment password).
      Challenge password distribution

      Select the challenge password distribution method. This option is only available if Password creation is set to Set a random password.

      • Display: Display the password on the screen.
      • SMS: Send the password to a mobile phone. Enter the phone number in the Mobile number field and select an SMS gateway from the dropdown menu.
      • Email: Send the password to the email address entered in the email field.
      Renewal

      To allow renewals, select Allow renewal, then enter the number of days before the certificate expires (minimum of one day).

      When renewal is enabled, you can optionally either allow or reject SCEP renewal requests for expired and revoked certificates (as burst renewal requests from FortiGate devices could exhaust the FortiAuthenticator and create duplicate certificates), and either allow or reject SCEP renewal requests signed using the old private key.

      Subject Alternative Name

      SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.

      This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).

      EmailEnter the email address of a user to map to this certificate.
      User Principal Name (UPN)Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.
    3. Optionally, apply key usage attributes.

      Advanced Options: Key Usages

      Key Usages

      Key usage attributes identify the purpose(s) of a certificate's key. Some applications require the explicit presence of attributes before the certificate will be accepted for use. When an entity contains multiple certificates or keys, key usage attributes can also be used to identify which is the correct certificate or key to use.

      When the Critical option is enabled, the certificate can only be used for the purposes indicated by the selected attributes, and attempting to use the certificate for other purposes results in a CA policy violation.

      For detailed information about key usage attributes, see End entities.

      Extended Key Usages

      Extended Key Usages provides an extended list of selectable attributes.

      The Critical option can also be applied to extended key usage attributes. When the Critical option is applied to both key usage and extended key usage attributes, only certificates that are consistent with both fields are accepted.

      For detailed information about extended key usage attributes, see End entities.

    4. Select OK to create the new certificate enrollment request.

      When created, the request will have a Status of Pending. A code is displayed which must be provided to the client as a challenge password for the automatic certificate enrollment process.