SCEP
FortiAuthenticator contains a Simple Certificate Enrollment Protocol (SCEP) server that can sign user CSRs, and distribute CRLs and CA certificates. To use SCEP, you must:
- Enable HTTP administrative access on the interface(s) connected to the Internet. See Network.
The recommended configuration for SCEP interfaces includes:
- One dedicated interface for system administration which includes enforced IP address restriction on admin access.
- One dedicated interface for service provisioning.
- One dedicated interface for the HA heartbeat when configured in an HA cluster.
- Add a local certificate authority (root or intermediate). See Certificate authorities.
- Select the local signing CA to use for SCEP. See Default CA.
Users can request a user certificate through online SCEP, found at http://<FortiAuthenticator-IP-Address>/app/cert/scep
.
This section contains the following topics: