- Enable HTTP administrative access on the interface connected to the Internet. See Interfaces.
- Add the CA certificate for your certificate authority. See Certificate authorities.
- Select the CA to use for SCEP. See Default CA.
As an administrator, you can allow FortiAuthenticator to either automatically sign the user’s certificate or alert you about the request for a signature.
Configure the following settings:
Select OK to apply any changes you have made.
Note that, before you can create or configure certificate enrollment requests, SCEP must be enabled, and HTTP access must be enabled on the network interface(s) that will serve SCEP clients (under System > Network > Interfaces).
The following information is available:
- From the enrollment request list, select a request by clicking within its row.
- Select Close to return to the enrollment request window.
- From the Certificate Enrollment Request window, select Did the client lose his/her certificate and key? The Reset enrollment request status? window opens.
- There are two methods to reset the enrollment request:
- Manually remove the old enrollment request, revoke its certificate, then create a new enrollment request with exactly the same configuration and subject name as the old certificate.
- Re-use the same enrollment request by resetting its status and then revoking the lost certificate (recommended).
- From the certificate enrollment requests list, select Create New.
- Enter the following information:
- Department (OU)
- Company (O)
- City (L)
- State/Province (ST)
- Country (C) (select from dropdown menu)
- Email address
- Display: Display the password on the screen.
- SMS: Send the password to a mobile phone. Enter the phone number in the Mobile number field and select an SMS gateway from the dropdown menu.
- Email: Send the password to the email address entered in the email field.
- Select OK to create the new certificate enrollment request.
|Automatic request type||Select the automatic request type, either Regular or Wildcard.|
Select one of the available CAs configured on FortiAuthenticator from the dropdown menu.
The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities.
|Subject input method||Select the subject input method, either Fully distinguished name or Field-by-field.|
If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes.
Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive.
If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Automatic request type is set to Regular), and optionally enter the following fields:
|Certificate Signing Options|
Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires.
|Hash algorithm||Select the hash algorithm from the dropdown menu, either SHA-256 (set by default) or SHA-1.|
|Password creation||Select to either set a random password, or use the default enrollment password (see Default enrollment password).|
|Challenge password distribution||
Select the challenge password distribution method. This option is only available if Password creation is set to Set a random password.
When renewal is enabled, you can optionally either allow or reject SCEP renewal requests for expired and revoked certificates (as burst renewal requests from FortiGate devices could exhaust the FortiAuthenticator and create duplicate certificates), and either allow or reject SCEP renewal requests signed using the old private key.
|Subject Alternative Name||
SANs allow you to protect multiple host names with a single SSL certificate. SAN is part of the X.509 certificate standard.
This section is not available when the certificate type is Intermediate CA certificate signing request (CSR).
|Enter the email address of a user to map to this certificate.|
|User Principal Name (UPN)||Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping.|
|Advanced Options: Key Usages||
Some certificates require the explicit presence of extended key usage attributes before the certificate can be accepted for use.
For detailed information about these attributes, see End entities.
When created, the request will have a Status of Pending. A code is displayed which must be provided to the client as a challenge password for the automatic certificate enrollment process.