Enrollment over Secure Transport for automatic certificate management NEW

The FortiGate supports Enrollment over Secure Transport (EST) and the RFC 7030 standards when generating a new CSR request, performing automatic renewals, or manually regenerating a certificate. EST provides more security for automatic certificate management than Simple Certificate Enrollment Protocol (SCEP), which is commonly used for certificate enrollment.

Background

SCEP helps automate and simplify the process for obtaining a digital certificate from a certificate authority (CA). However, SCEP does not natively support secure connections, and instead relies on the underlying transport protocol to provide security. EST was developed, which uses TLS to establish a secure communication channel over which subsequent certificate management protocol messages like initial certificate enroll and certificate renewal messages are exchanged.

On the FortiGate, when generating a certificate signing request (CSR), you can use the SCEP method to send the request to an SCEP server, or use EST to send the request to an EST server to be signed by a CA.

To configure the enrollment protocol settings for a local certificate:

config vpn certificate local
    edit <name>
        set enroll-protocol est
        set est-server <string>
        set est-ca-id <string>
        set est-http-username <string>
        set est-http-password <string>
        set est-client-cert <certificate>
        set est-server-cert <certificate>
        set est-srp-username <string>
        set est-srp-password <string>
    next
end

est-server <string>	Enter the address and port for EST server (such as https://example.com:1234).
est-ca-id <string>	Enter the CA identifier of the CA server for signing with EST.
est-http-username <string>	Enter the HTTP Authentication username for signing with EST.
est-http-password <string>	Enter the HTTP Authentication password for signing with EST.
est-client-cert <certificate>	Enter the certificate used to authenticate this FortiGate to the EST server.
est-server-cert <certificate>	Enter the EST server's certificate that has to be verifiable by the specified certificate on the FortiGate.
est-srp-username <string>	Enter the EST SRP authentication username.
est-srp-password <string>	Enter the EST SRP authentication password.

To manually generate a CSR for the EST server to be signed by a CA:

# execute vpn certificate local generate est {reqired_1} {reqired_2} {reqired_3} [options]

option 1 (required)	Name of the local server certificate.
option 2 (required)	Cryptography algorithm: rsa-1024, rsa-1536, rsa-2048, rsa-4096, ec-secp256r1, ec-secp384r1, or ec-secp521r1.
option 3 (required)	URL and listening port of the remote EST responder.
option 4 (optional)	Server certificate subject in the certificate enroll request. Separate fields by a comma (,).
option 5 (optional)	Subject Alternative Name (SAN). This can be an FQDN and/or IP. Use DNS:<FQDN>,IP:<IP_address> for example. If the issuing CA does not support SAN, this option will be ignored. Separate fields by a comma (,).
option 6 (optional)	HTTP authentication username.
option 7 (optional)	HTTP authentication password.
option 8 (optional)	CA identifier.
option 9 (optional)	CA certificate used to verify the remote EST responder server certificate and certificates issued by a remote PKI.
option 10 (optional)	Password for the private key.
option 11 (optional)	Client certificate.
option 12 (optional)	Source IP for communications to the CA server.
option 13 (optional)	TLS-SRP username.
option 14 (optional)	TLS-SRP password.

Example 1: enrolling for a new FortiGate server certificate with EST

To enroll for a new FortiGate server certificate with EST:

1. Verify that the FortiGate can communicate with remote EST responder (testrfc7030.com):

   # execute ping testrfc7030.com
   PING testrfc7030.com (54.70.32.33): 56 data bytes
   64 bytes from 54.70.32.33: icmp_seq=0 ttl=31 time=13.6 ms
   64 bytes from 54.70.32.33: icmp_seq=1 ttl=31 time=19.1 ms
   64 bytes from 54.70.32.33: icmp_seq=2 ttl=31 time=16.5 ms
   ^C
   --- testrfc7030.com ping statistics ---
   3 packets transmitted, 3 packets received, 0% packet loss
   round-trip min/avg/max = 13.6/16.4/19.1 ms

2. Start running debugs to track the progress of the enrollment:

   # diagnose debug application est -1
   # diagnose debug enable

3. Create a new server CSR file locally and send it to the remote EST responder:

   # execute vpn certificate local generate est est-test101 ec-secp256r1 https://testrfc7030.com:8443 CN=firewall-portal1,DC=local,DC=COM DNS:firewall-portal1.local.ca,IP:172.18.60.184 estuser estpwd G_CA_Cert_1

   The CA certificate (G_CA_Cert_1) is used to verify the remote EST responder server certificate and certificates issued by a remote PKI. testrfc7030.com is a self-signed CA, which by default is not in the local trusted root store and must be imported prior to enrollment. If the CA that issues the server certificate is not in the local root store, an error would appear in the debug messages: # diagnose debug application est -1 # diagnose debug enable ... [1795] est_curl_req: Error buf: SSL certificate problem: self-signed certificate in certificate chain, [2402] est_simple_enroll: Failed to get ca certs: -1. ...

4. If the enrollment was successful, in a few seconds, a Done message appears. Verify the debugs to view the enrollment process.

   1. The remote CA's certificate is retrieved and stored locally in the EST configuration after being verified with the CA in the trusted root store:

      [1962] __est_curl_set_auth: trace
      [2046] __est_curl_set_auth: HTTP Authentication username is set
      [2050] __est_curl_set_auth: HTTP Authentication password is set
      [2075] __est_get_ca_certs: ============STARTED============
      [1728] est_curl_req: URL: https://testrfc7030.com:8443/.well-known/est/cacerts
      [1776] est_curl_req: HTTP GET
      [143] __curl_ssl_ctx_finalizer: global CAs are loaded.
      [165] __curl_ssl_ctx_finalizer: SSL_CTX ex data is set.
      [1651] curl_header_debug_func: Header received:HTTP/1.1 200 OK

   2. The debug displays the CA used by the remote EST responder:

      [1191] save_pkcs7_certs: Saving pkcs7 response
      [505] est_print_pkcs7: Certs: (1 in total)
      [507] est_print_pkcs7: Cert 1:
      [427] est_print_x509:         Version: 3 (0x2)
              Serial Number:
                  ab:e8:32:e1:f6:6a:6b:43
              Issuer: CN=estExampleCA
              Subject: CN=estExampleCA
              X509v3 extensions:
                  X509v3 Basic Constraints:
                      CA:TRUE
                  X509v3 Subject Key Identifier:
                      1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E
      
      [1220] save_pkcs7_certs: Received 1 certs
      [1228] save_pkcs7_certs: Saving cert(s):
              is_global:1
              est_url:https://testrfc7030.com:8443
              source_ip:NULL
              ca_identifier:NULL

   3. The CA certificate is imported. FortiOS sends a query to learn about the attributes supported by the CA in the certificate request and will then create the CSR accordingly:

      [1288] save_pkcs7_certs: CA certs imported!
      [2101] __est_get_csr_attrs: ============STARTED============
      [1728] est_curl_req: URL: https://testrfc7030.com:8443/.well-known/est/csrattrs
      [1776] est_curl_req: HTTP GET
      [1651] curl_header_debug_func: Header received:HTTP/1.1 200 OK
      [1651] curl_header_debug_func: Header received:Status: 200 OK
      [1651] curl_header_debug_func: Header received:Content-Type: application/csrattrs
      [1651] curl_header_debug_func: Header received:Content-Transfer-Encoding: base64
      [1651] curl_header_debug_func: Header received:Content-Length: 57
      [1651] curl_header_debug_func: Header received:
      [1787] est_curl_req: Response 200
      [1788] est_curl_req: Buffer:MCYGBysGAQEBARYGCSqGSIb3DQEJAQYFK4EEACIGCWCGSAFlAwQCAg==
      [1439] decode_csrattrs_callback: Decoding csrattrs, resp->len: 57
      [1474] decode_csrattrs_callback: Object: 1.3.6.1.1.1.1.22 undefined
      [1474] decode_csrattrs_callback: Object: 1.2.840.113549.1.9.1 emailAddress
      [1474] decode_csrattrs_callback: Object: 1.3.132.0.34 secp384r1
      [1474] decode_csrattrs_callback: Object: 2.16.840.1.101.3.4.2.2 sha384

   4. The CSR information is generated, which is sent to the remote EST responder:

              est_ctx: is_global:1
              vfid:0
              svr_original_url:https://testrfc7030.com:8443
              svr_hostinfo:Exists
              ca_identifier:(null)
              http_username:estuser
              http_password:estpwd  
              clt_cert:(null)
              svr_cert:(null)
              srp_username:(null)
              srp_password:(null)
              source_ip:(null)
              need_pop:0
              newcert_name:est-test101
              passwd:(null)
              rsa_keysize:0
              ec_curvename:secp256r1
              subject:CN=firewall-portal1,DC=local,DC=COM
              sub_alt_name:DNS:firewall-portal1.local.ca,IP:172.18.60.184 
              svr_cert_x509:NULL
              csr_attrs:Exists
              csr:NULL
              pkey:NULL
              header_ptr:NULL
              tmp_p10:NULL
      [2259] __est_simple_enroll: ============STARTED============

   5. The CSR is sent to the EST responder:

      [1728] est_curl_req: URL: https://testrfc7030.com:8443/.well-known/est/simpleenroll
      [1753] est_curl_req: HTTP POST
      [1651] curl_header_debug_func: Header received:HTTP/1.1 200 OK
      [1651] curl_header_debug_func: Header received:Status: 200 OK
      [1651] curl_header_debug_func: Header received:Content-Type: application/pkcs7-mime; smime-type=certs-only
      [1651] curl_header_debug_func: Header received:Content-Transfer-Encoding: base64
      [1651] curl_header_debug_func: Header received:Content-Length: 585
      [1651] curl_header_debug_func: Header received:
      

   6. The CA issues the certificate and sends it back in a PKCS #7 structure:

      [1787] est_curl_req: Response 200 
      [1788] est_curl_req: Buffer:MIIBqwYJKoZIhvcNAQcCoIIBnDCCAZgCAQExADALBgkqhkiG9w0BBwGgggGAMIIB
      fDCCASOgAwIBAgIDB0aXMAoGCCqGSM49BAMCMBcxFTATBgNVBAMTDGVzdEV4YW1w
      ...

   7. The FortiGate decodes and displays the attributes of the certificate, then saves the certificate:

      [1191] save_pkcs7_certs: Saving pkcs7 response
      [505] est_print_pkcs7: Certs: (1 in total)
      [507] est_print_pkcs7: Cert 1:
      [427] est_print_x509:         Version: 3 (0x2)
              Serial Number: 476823 (0x74697)
              Issuer: CN=estExampleCA
              Subject: CN=firewall-portal1
              X509v3 extensions:
                  X509v3 Basic Constraints:
                      CA:FALSE
                  X509v3 Key Usage:
                      Digital Signature
                  X509v3 Subject Key Identifier:
                      9B:F8:39:D5:21:E6:FF:49:FF:AC:02:57:5B:FC:4C:1A:8B:1E:5D:8F
                  X509v3 Authority Key Identifier:
                      1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E
      
      [1220] save_pkcs7_certs: Received 1 certs
      [1228] save_pkcs7_certs: Saving cert(s):
              is_global:1
              est_url:https://testrfc7030.com:8443
              source_ip:NULL
              ca_identifier:NULL
      
      [1246] save_pkcs7_certs: Received 1 cert(s)
      [427] est_print_x509:         Version: 3 (0x2)
              Serial Number: 476823 (0x74697)
              Issuer: CN=estExampleCA
              Subject: CN=firewall-portal1
              X509v3 extensions:
                  X509v3 Basic Constraints:
                      CA:FALSE
                  X509v3 Key Usage:
                      Digital Signature
                  X509v3 Subject Key Identifier:
                      9B:F8:39:D5:21:E6:FF:49:FF:AC:02:57:5B:FC:4C:1A:8B:1E:5D:8F
                  X509v3 Authority Key Identifier:
                      1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E
      
      [827] est_cmdb_update_cert: Cert est-test101 updated in CMDB
      [1276] save_pkcs7_certs: The cert is saved!
      [592] est_ctx_clear_tmp_data: trace
      [2408] est_simple_enroll: POST ret:0
      [592] est_ctx_clear_tmp_data: trace
      Done.

Example 2: automatically renewing a FortiGate server certificate with EST

When the time for certificate renewal is up, the FortiGate will use the existing EST parameters to perform an automatic renewal. This example demonstrates the renewal process through debugs.

To automatically renew a FortiGate server certificate with EST:

1. Verify the current local certificate configuration:

   config vpn certificate local
   (local) # get est-test101
   name                : est-test101
   password            : *
   comments            :
   private-key         : *
   certificate         :
           Subject:     CN = firewall-portal1
           Issuer:      CN = estExampleCA
           Valid from:  2023-04-06 22:37:34  GMT
           Valid to:    2024-04-05 22:37:34  GMT 
           Fingerprint: AE:67:11:CF:7D:F9:57:A4:09:8B:55:0A:F1:B1:7A:CF
   ...
   state               : OK
   range               : global
   source              : user
   source-ip           : 0.0.0.0
   ike-localid-type    : asn1dn
   enroll-protocol     : est
   est-server          : https://testrfc7030.com:8443
   est-ca-id           :
   est-http-username   : estuser
   est-http-password   : estpwd
   est-client-cert     :
   est-server-cert     :
   est-srp-username    :
   est-srp-password    :
   auto-regenerate-days: 0
   auto-regenerate-days-warning: 0

   Note that the current Valid to date and time is 2024-04-05 22:37:34 GMT, which is one year from the issue date.

2. Start running debugs to track the progress of the renewal:

   # diagnose debug application est -1
   # diagnose debug enable

3. For demonstration purposes, update the auto-regenerate-days setting to 364 days to trigger the automatic renewal on the FortiGate:

   config vpn certificate local
       edit est-test101
           set auto-regenerate-days 364
       next
   end

4. Verify the debugs to confirm that the certificate was renewed.

   1. The FortiGate uses the content of the current certificate to create a new CSR. User credentials used for the initial enrollment are stored in local certificate configuration, but they are not used for renewal:

      [1024] reconstruct_est_ctx: Reconstruction succeeded
      est_ctx:        is_global:1
              vfid:0
              svr_original_url:https://testrfc7030.com:8443
              svr_hostinfo:NULL
              ca_identifier:
              http_username:estuser 
              http_password:estpwd 
              clt_cert:
              svr_cert:
              srp_username:
              srp_password:
              source_ip:(null)
              need_pop:0
              newcert_name:est-test101
              passwd:f51da8548af5fef820edfe6267b0c178e76f7c3eae40ee0900318fc77ab6bd
              rsa_keysize:0
              ec_curvename:(null)
              subject:(null)
              sub_alt_name:(null)
              svr_cert_x509:NULL
              csr_attrs:NULL
              csr:NULL
              pkey:NULL
              header_ptr:NULL
              tmp_p10:NULL
      

   2. The FortiGate sends the current server certificate for authentication/authorization and not the username/password used for initial enrollment:

      [2453] est_simple_reenroll: Try to use est-test101 as client cert to authenticate
      [1962] __est_curl_set_auth: trace
      [2011] __est_curl_set_auth: Warning: cert est-test101 may not have the correct key usage for TLS client authentication
      [2014] __est_curl_set_auth: Will use cert est-test101 to prove my identity
      ...
      [1651] curl_header_debug_func: Header received:
      [1787] est_curl_req: Response 200    
      [1788] est_curl_req: Buffer:MCYGBysGAQEBARYGCSqGSIb3DQEJAQYFK4EEACIGCWCGSAFlAwQCAg==
      [1439] decode_csrattrs_callback: Decoding csrattrs, resp->len: 57
      [1474] decode_csrattrs_callback: Object: 1.3.6.1.1.1.1.22 undefined
      [1474] decode_csrattrs_callback: Object: 1.2.840.113549.1.9.1 emailAddress
      [1474] decode_csrattrs_callback: Object: 1.3.132.0.34 secp384r1
      [1474] decode_csrattrs_callback: Object: 2.16.840.1.101.3.4.2.2 sha384
      est_ctx:        is_global:1
              vfid:0
              svr_original_url:https://testrfc7030.com:8443
              svr_hostinfo:Exists
              ca_identifier:
              http_username:estuser
              http_password:estpwd
              clt_cert:est-test101
              svr_cert:
              srp_username:
              srp_password:
              source_ip:(null)
              need_pop:0
              newcert_name:est-test101
              passwd:f51da8548af5fef820edfe6267b0c178e76f7c3eae40ee0900318fc77ab6bd
              rsa_keysize:0
              ec_curvename:(null)
              subject:(null)                   
              sub_alt_name:(null)
              svr_cert_x509:NULL
              csr_attrs:Exists
              csr:NULL
              pkey:NULL
              header_ptr:NULL
              tmp_p10:NULL
      [2274] __est_simple_reenroll: ============STARTED============

   3. The CSR for renewal is successfully generated:

      [965] est_generate_csr_from_cert: Successfully generated CSR for est-test101
      [2200] __est_simple_post: Data to be posted:
      |||MIIBQDCB5gIBAjAbMRkwFwYDVQQDDBBmaXJld2FsbC1wb3J0YWwxMFkwEwYHKoZI
      zj0CAQYIKoZIzj0DAQcDQgAEQoJQmPedxPNUcfCyRvpqyt1oiiJX/me+TdButUSu
      8hg+9nPF6+xNf+5LmtG/YKHeXyCKG6xB9OmJf255Zmx+5qBpMGcGCSqGSIb3DQEJ
      DjFaMFgwCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwHQYDVR0OBBYEFJv4OdUh5v9J
      /6wCV1v8TBqLHl2PMB8GA1UdIwQYMBaAFBrfOYTCVuZszyq0JqX9DNJD9T0+MAoG
      CCqGSM49BAMCA0kAMEYCIQCK3Li51F7fXsyKZwtIcYMFvDobY3cKKTTDixtN7QZ2
      jwIhAKUkqfWPAzwcxQaNQw6pyYvo18ymB9aEheeIXZfGI+tV
      |||
      
      [1728] est_curl_req: URL: https://testrfc7030.com:8443/.well-known/est/simplereenroll
      [1753] est_curl_req: HTTP POST
      [1651] curl_header_debug_func: Header received:HTTP/1.1 200 OK
      [1651] curl_header_debug_func: Header received:Status: 200 OK
      [1651] curl_header_debug_func: Header received:Content-Type: application/pkcs7-mime; smime-type=certs-only
      [1651] curl_header_debug_func: Header received:Content-Transfer-Encoding: base64
      [1651] curl_header_debug_func: Header received:Content-Length: 590
      [1651] curl_header_debug_func: Header received:
      [1787] est_curl_req: Response 200

   4. The new certificate is received in PKCS #7 and is saved:

      [1788] est_curl_req: Buffer:MIIBrQYJKoZIhvcNAQcCoIIBnjCCAZoCAQExADALBgkqhkiG9w0BBwGgggGCMIIB
      fjCCASOgAwIBAgIDB0aYMAoGCCqGSM49BAMCMBcxFTATBgNVBAMTDGVzdEV4YW1w
      ...
      [1191] save_pkcs7_certs: Saving pkcs7 response
      [505] est_print_pkcs7: Certs: (1 in total)
      ...
      [1220] save_pkcs7_certs: Received 1 certs
      [1228] save_pkcs7_certs: Saving cert(s):
              is_global:1
              est_url:https://testrfc7030.com:8443
              source_ip:NULL
              ca_identifier:
      
      [1246] save_pkcs7_certs: Received 1 cert(s)
      [427] est_print_x509:         Version: 3 (0x2)
              Serial Number: 476824 (0x74698)
              Issuer: CN=estExampleCA
              Subject: CN=firewall-portal1
              X509v3 extensions:
                  X509v3 Basic Constraints:
                      CA:FALSE
                  X509v3 Key Usage:
                      Digital Signature
                  X509v3 Subject Key Identifier:
                      9B:F8:39:D5:21:E6:FF:49:FF:AC:02:57:5B:FC:4C:1A:8B:1E:5D:8F
                  X509v3 Authority Key Identifier:
                      1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E
      
      [827] est_cmdb_update_cert: Cert est-test101 updated in CMDB
      [1276] save_pkcs7_certs: The cert is saved!
      [592] est_ctx_clear_tmp_data: trace
      [2477] est_simple_reenroll: POST ret:0
      [592] est_ctx_clear_tmp_data: trace

5. Verify the renewed local certificate configuration:

   config vpn certificate local
   (local) # get est-test101
   name                : est-test101
   password            : *
   comments            :
   private-key         : *
   certificate         :
           Subject:     CN = firewall-portal1
           Issuer:      CN = estExampleCA
           Valid from:  2023-04-06 22:55:09  GMT     
           Valid to:    2024-04-05 22:55:09  GMT
           Fingerprint: D9:51:6C:EF:04:E9:79:8D:A0:EE:10:23:4A:F4:46:B7
           Root CA:     No
           Version:     3
           Serial Num:
                   07:46:a5
           Extensions:
                   Name:     X509v3 Basic Constraints
                   Critical: no
                   Content:

   Note that the Valid to date and time is now 2024-04-05 22:55:09 GMT.

Example 3: manually regenerating a local certificate with EST

Note that manually regenerating the certificate will not generate a new server key pair.

To manually regenerate a local certificate with EST:

1. Run the following command:

   # execute vpn certificate local generate est est-test101
   Certificate 'est-test101' already exists, re-generate will ignore all the options you have provided.
   Are you sure to re-generate the certificate?
   Do you want to continue? (y/n) y
   

2. Verify the debugs to confirm that the certificate was generated:

   # diagnose debug application est -1
   # diagnose debug enable
   ...
   [1024] reconstruct_est_ctx: Reconstruction succeeded
   est_ctx:        is_global:1
           vfid:0
           svr_original_url:https://testrfc7030.com:8443
           svr_hostinfo:NULL
           ca_identifier:
           http_username:estuser
           http_password:estpwd
           clt_cert:
           svr_cert:
           srp_username:
           srp_password:
           source_ip:(null)
           need_pop:0
           newcert_name:est-test101
           passwd:f51da8548af5fef820edfe6267b0c178e76f7c3eae40ee0900318fc77ab6bd
           rsa_keysize:0
           ec_curvename:(null)
           subject:(null)
           sub_alt_name:(null)
           svr_cert_x509:NULL
           csr_attrs:NULL
           csr:NULL
           pkey:NULL
           header_ptr:NULL
           tmp_p10:NULL
   [2453] est_simple_reenroll: Try to use est-test101 as client cert to authenticate
   [1962] __est_curl_set_auth: trace
   ...

3. Once the certificate is saved, verify the local certificate configuration:

   config vpn certificate local
   (local) # get est-test101
   name                : est-test101
   password            : *
   comments            :
   private-key         : *
   certificate         :
           Subject:     CN = firewall-portal1
           Issuer:      CN = estExampleCA
           Valid from:  2023-04-13 17:23:40  GMT
           Valid to:    2024-04-12 17:23:40  GMT
           Fingerprint: 4A:96:E1:73:6D:D3:64:FE:A3:A8:28:56:1D:39:05:37
           Root CA:     No
           Version:     3
           Serial Num:
                   07:47:02
           Extensions:
                   Name:     X509v3 Basic Constraints
                   Critical: no
                   Content:
                   CA:FALSE
   
                   Name:     X509v3 Key Usage
                   Critical: no
                   Content:
                   Digital Signature
   
                   Name:     X509v3 Subject Key Identifier
                   Critical: no
                   Content:
                   9B:F8:39:D5:21:E6:FF:49:FF:AC:02:57:5B:FC:4C:1A:8B:1E:5D:8F 
   
                   Name:     X509v3 Authority Key Identifier
                   Critical: no
                   Content:
                   1A:DF:39:84:C2:56:E6:6C:CF:2A:B4:26:A5:FD:0C:D2:43:F5:3D:3E
   
   
   state               : OK
   range               : global
   source              : user
   source-ip           : 0.0.0.0
   ike-localid-type    : asn1dn
   enroll-protocol     : est
   est-server          : https://testrfc7030.com:8443
   est-ca-id           :
   est-http-username   : estuser
   est-http-password   : estpwd
   est-client-cert     :
   est-server-cert     :
   est-srp-username    :
   est-srp-password    :
   auto-regenerate-days: 0
   auto-regenerate-days-warning: 0
   

   The Subject Key Identifier is the same, so no new key pair was generated.