Fortinet black logo

Examples

7.4.0
7.4.0
7.2.0
7.0.0
6.4.0

Configuring FortiManager and FortiAuthenticator for SCEP certificate deployment

Configuring FortiManager and FortiAuthenticator for SCEP certificate deployment

Simple Certificate Enrollment Protocol (SCEP) is an open source protocol that allows for organizations to manage and deploy certificates in a scalable and secure fashion. This guide covers how to configure FortiAuthenticator as a Certificate Authority (CA) to conditionally sign certificates for FortiGates. These FortiGates will be managed by FortiManager and handles SCEP configuration as well as certificate usage for the FortiGates.

This section includes the following topics:

  1. Configuring FortiAuthenticator

  2. Configuring FortiManager

  3. Verification of certificate deployment

Configuring FortiAuthenticator

The FortiAuthenticator has two roles in this guide: create and act as a Certificate Authority, and participate in the SCEP process as the SCEP server.

There are three configuration sections for FortiAuthenticator:

  1. Enable SCEP communications

  2. Select or create a CA certificate

  3. SCEP configuration

Enable SCEP communications

To enable FortiAuthenticator for SCEP communications, you must enable the service as follows:

  1. Navigate to System > Network > Interfaces.

  2. Double click on the interface that FortiManager will communicate with the FortiAuthenticator on.

  3. In the Access Rights > Services section, enable HTTP, and then SCEP and CRL Downloads.

Select or create a CA certificate

Certificate enrollment involves end entities, FortiGates in this example, receiving signed certificates. We will use FortiAuthenticator to generate the CA certificate that will be used to sign these certificates. If you already have a CA on FortiAuthenticator, you may skip this step.

To create a CA certificate on FortiAuthenticator:

  1. Navigate to Certificate Management > Certificate Authorities > Local CAs.

  2. Click Create New.

  3. Provide the following details to create your CA. You may elect to add more details as you see fit.

    Certificate ID

    External_PKI

    Certificate type

    Root CA

    Subject input method

    Field-by-field

    Name (CN)

    external_pki

    Department

    FortiDocuments

    Company

    Fortinet

    Key size

    4096

    Hash algorithm

    SHA-256

  4. Click Save.

  5. Use the checkbox on the left side to select the newly created CA.

  6. Select Export Certificates at the top to export the CA.

Note

This certificate will need to be uploaded to any device which needs to verify the certificates signed by it. That might mean end user desktops for GUI admin access or deep inspection, or to FortiGates for site-to-site VPN.

SCEP configuration

To enable SCEP:

  1. Navigate to Certificate Management > SCEP > General.

  2. Enable SCEP.

  3. Ensure External_PKI is selected for Default CA.

  4. Set the Default enrollment password.

  5. Leave Enrollment method on Automatic.

  6. Leave Revoke the old certificate on renewal enabled.

  7. Select Save.

To configure enrollment requests:

  1. Select Certificate Management > SCEP > Enrollment Requests.

  2. Click Create New.

  3. Provide the following details:

    Automatic request type

    Wildcard

    Certificate authority

    External_PKI | CN=external-pki

    Subject input method

    Field-by-field

    Department

    FortiDocuments

    Company

    Fortinet

    Hash algorithm

    SHA-256

    Password generation

    Default

    Allow renewal ___ days before certificate is expired

    Enabled, 7

    Allow renewal if revoked

    Enabled

    Allow renewal if expired

    Enabled

    Add CRL Distribution Points extension

    Enabled

    Add OSCP Responder URL

    Enabled

    The wildcard request type allows you to create a single enrollment request to match all requests coming from FortiManager. Hover over the Wildcard option on FortiAuthenticator to learn more about the requirements and caveats.

  4. Click Save.

Configuring FortiManager

There are four configuration sections for FortiManager:

  1. Creating a certificate template

  2. Import the External_PKI CA certificate

  3. Use the certificate in FortiManager

  4. Install the certificate to FortiGate

Creating a certificate template

The certificate template is used to define a certificate object for one or more FortiGates. Like most objects in FortiManager, this object can be mapped to many FortiGates so that a common configuration can apply a unique certificate to each managed FortiGate.

To create a certificate template:

  1. Navigate to Device Manager > Provisioning Templates.

  2. Select Certificate from the top menu bar.

  3. Select Create New.

  4. Provide the following details:

    Type

    External

    Certificate Name

    external_pki

    Organization Unit

    FortiDocuments

    Organization

    Fortinet

    Key Type

    RSA

    Key Size

    4096

    Hash Algorithm

    SHA-256

    CA Server URL

    http://<FAC_IP>/app/cert/scep

    Challenge Password

    <The enrollment password created on the FAC>
    Note

    The CA Server URL is the URL that the FortiManager can reach FortiAuthenticator on plus the directory that was given after enabling SCEP.

  5. Click OK.

  6. Navigate to Policy & Objects > Advanced > Dynamic Local Certificate. Note how there is a new certificate created named external_pki. If you edit this certificate, you will notice that there are no per-device mappings. This is expected as the certificate has not yet been requested from FortiAuthenticator, therefore there are no mappings.

Import the External_PKI CA certificate

This certificate will be used by FortiGates to help validate any certificates that this CA certificate has signed. After importing the CA certificate here, it will be included in the next install for FortiGates in the VDOM.

To import the External_PKI CA certificate:

  1. Navigate to Policy & Objects > Advanced, and select Tools > Feature Visibility at the top to enable Advanced > CA Certificates.

  2. Select OK to save the feature visibility.

  3. Select CA Certificates from the top menu bar.

  4. Select Import in the top left to provide the following details:

    1. Certificate Name: ca_external_pki.

    2. Import CA Certificate: Upload the certificate exported from FortiAuthenticator in an earlier step.

  5. Click OK to save.

Use the certificate in FortiManager

You can now use the certificate in a FortiGate configuration so it will be downloaded and installed to the FortiGate. The certificate may be used in several ways. This example demonstrates how it may be used for IPsec tunnel authentication.

Note

This guide edits an existing hub and spoke VPN set up that is using a PSK for authentication.
To use the certificate in FortiManager:

  1. Navigate to VPN Manager > IPsec VPN Communities.

  2. Select the VPN community you want to update to use automatic certificate enrollment. In this example, the VPN community is VPN1 and there are three FortiGates in this community: 1 HUB (fgt) and 2 spokes (contained in the Branches group: fgt1, fgt2).

  3. Edit the community to adjust Authentication from Pre-Shared Key to Certificates, and select the external_pki certificate created from the certificate template, and select OK to save the selected certificate.

  4. Select OK to save the community.

Install the certificate to FortiGate

To install the certificate to a FortiGate:

  1. Select Install Wizard from the top menu bar.

  2. Select the Policy Package for the spoke FortiGates, and select Next.

  3. Ensure the FortiGates are selected and select Next.

  4. Once the wizard has completed Installation Preparation (Validate Devices, step 3/4), check the enrollment status on the FortiAuthenticator.


  5. Select Install on FortiManager to complete the Install Wizard and certificate deployment.

  6. Repeat the above steps for the HUB FortiGate.

Verification of certificate deployment

Several certificates will now have been successfully deployed using SCEP. To verify the work, examine the FortiManager and FortiGate configuration.

Verification on FortiManager

On the FortiManager, review the dynamic certificate object, and some VPN monitors.

Dynamic certificate object

Navigate to Policy & Objects > Advanced > Dynamic Local Certificate to examine the external_pki certificate. Notice that there are three mappings for the HUB and two branch FortiGates.

You can assign this dynamic certificate to FortiGates without mappings and the SCEP process will automatically generate and deploy a certificate matching the assigned FortiGate.

IPsec VPN map

Review the VPN Manager > IPsec VPN Map > Topology View and Traffic View. Try enabling Show Table on Traffic View, and notice the Peer ID column. This can be easily used to authenticate.

Verification on FortiGate

Review the certificate and configuration on the FortiGate.

Certificate usage

You can verify the certificate on the FortiGate by navigating to VPN > IPsec Tunnels, then double clicking on a tunnel. This shows that a certificate named external_pki was used for authentication.


Certificate details

Review the external_pki certificate being used in the VPN tunnel.

  1. Navigate to System > Certificates (enable Certificates in Feature Visibility if necessary).
  2. Notice that the external_pki exists in the Local Certificates section.
  3. Notice that ca_external_pki exists in the Remote CA Certificate section.

  4. Double-click either or both certificates to review their details.
Previous
Next

Configuring FortiManager and FortiAuthenticator for SCEP certificate deployment

Simple Certificate Enrollment Protocol (SCEP) is an open source protocol that allows for organizations to manage and deploy certificates in a scalable and secure fashion. This guide covers how to configure FortiAuthenticator as a Certificate Authority (CA) to conditionally sign certificates for FortiGates. These FortiGates will be managed by FortiManager and handles SCEP configuration as well as certificate usage for the FortiGates.

This section includes the following topics:

  1. Configuring FortiAuthenticator

  2. Configuring FortiManager

  3. Verification of certificate deployment

Configuring FortiAuthenticator

The FortiAuthenticator has two roles in this guide: create and act as a Certificate Authority, and participate in the SCEP process as the SCEP server.

There are three configuration sections for FortiAuthenticator:

  1. Enable SCEP communications

  2. Select or create a CA certificate

  3. SCEP configuration

Enable SCEP communications

To enable FortiAuthenticator for SCEP communications, you must enable the service as follows:

  1. Navigate to System > Network > Interfaces.

  2. Double click on the interface that FortiManager will communicate with the FortiAuthenticator on.

  3. In the Access Rights > Services section, enable HTTP, and then SCEP and CRL Downloads.

Select or create a CA certificate

Certificate enrollment involves end entities, FortiGates in this example, receiving signed certificates. We will use FortiAuthenticator to generate the CA certificate that will be used to sign these certificates. If you already have a CA on FortiAuthenticator, you may skip this step.

To create a CA certificate on FortiAuthenticator:

  1. Navigate to Certificate Management > Certificate Authorities > Local CAs.

  2. Click Create New.

  3. Provide the following details to create your CA. You may elect to add more details as you see fit.

    Certificate ID

    External_PKI

    Certificate type

    Root CA

    Subject input method

    Field-by-field

    Name (CN)

    external_pki

    Department

    FortiDocuments

    Company

    Fortinet

    Key size

    4096

    Hash algorithm

    SHA-256

  4. Click Save.

  5. Use the checkbox on the left side to select the newly created CA.

  6. Select Export Certificates at the top to export the CA.

Note

This certificate will need to be uploaded to any device which needs to verify the certificates signed by it. That might mean end user desktops for GUI admin access or deep inspection, or to FortiGates for site-to-site VPN.

SCEP configuration

To enable SCEP:

  1. Navigate to Certificate Management > SCEP > General.

  2. Enable SCEP.

  3. Ensure External_PKI is selected for Default CA.

  4. Set the Default enrollment password.

  5. Leave Enrollment method on Automatic.

  6. Leave Revoke the old certificate on renewal enabled.

  7. Select Save.

To configure enrollment requests:

  1. Select Certificate Management > SCEP > Enrollment Requests.

  2. Click Create New.

  3. Provide the following details:

    Automatic request type

    Wildcard

    Certificate authority

    External_PKI | CN=external-pki

    Subject input method

    Field-by-field

    Department

    FortiDocuments

    Company

    Fortinet

    Hash algorithm

    SHA-256

    Password generation

    Default

    Allow renewal ___ days before certificate is expired

    Enabled, 7

    Allow renewal if revoked

    Enabled

    Allow renewal if expired

    Enabled

    Add CRL Distribution Points extension

    Enabled

    Add OSCP Responder URL

    Enabled

    The wildcard request type allows you to create a single enrollment request to match all requests coming from FortiManager. Hover over the Wildcard option on FortiAuthenticator to learn more about the requirements and caveats.

  4. Click Save.

Configuring FortiManager

There are four configuration sections for FortiManager:

  1. Creating a certificate template

  2. Import the External_PKI CA certificate

  3. Use the certificate in FortiManager

  4. Install the certificate to FortiGate

Creating a certificate template

The certificate template is used to define a certificate object for one or more FortiGates. Like most objects in FortiManager, this object can be mapped to many FortiGates so that a common configuration can apply a unique certificate to each managed FortiGate.

To create a certificate template:

  1. Navigate to Device Manager > Provisioning Templates.

  2. Select Certificate from the top menu bar.

  3. Select Create New.

  4. Provide the following details:

    Type

    External

    Certificate Name

    external_pki

    Organization Unit

    FortiDocuments

    Organization

    Fortinet

    Key Type

    RSA

    Key Size

    4096

    Hash Algorithm

    SHA-256

    CA Server URL

    http://<FAC_IP>/app/cert/scep

    Challenge Password

    <The enrollment password created on the FAC>
    Note

    The CA Server URL is the URL that the FortiManager can reach FortiAuthenticator on plus the directory that was given after enabling SCEP.

  5. Click OK.

  6. Navigate to Policy & Objects > Advanced > Dynamic Local Certificate. Note how there is a new certificate created named external_pki. If you edit this certificate, you will notice that there are no per-device mappings. This is expected as the certificate has not yet been requested from FortiAuthenticator, therefore there are no mappings.

Import the External_PKI CA certificate

This certificate will be used by FortiGates to help validate any certificates that this CA certificate has signed. After importing the CA certificate here, it will be included in the next install for FortiGates in the VDOM.

To import the External_PKI CA certificate:

  1. Navigate to Policy & Objects > Advanced, and select Tools > Feature Visibility at the top to enable Advanced > CA Certificates.

  2. Select OK to save the feature visibility.

  3. Select CA Certificates from the top menu bar.

  4. Select Import in the top left to provide the following details:

    1. Certificate Name: ca_external_pki.

    2. Import CA Certificate: Upload the certificate exported from FortiAuthenticator in an earlier step.

  5. Click OK to save.

Use the certificate in FortiManager

You can now use the certificate in a FortiGate configuration so it will be downloaded and installed to the FortiGate. The certificate may be used in several ways. This example demonstrates how it may be used for IPsec tunnel authentication.

Note

This guide edits an existing hub and spoke VPN set up that is using a PSK for authentication.
To use the certificate in FortiManager:

  1. Navigate to VPN Manager > IPsec VPN Communities.

  2. Select the VPN community you want to update to use automatic certificate enrollment. In this example, the VPN community is VPN1 and there are three FortiGates in this community: 1 HUB (fgt) and 2 spokes (contained in the Branches group: fgt1, fgt2).

  3. Edit the community to adjust Authentication from Pre-Shared Key to Certificates, and select the external_pki certificate created from the certificate template, and select OK to save the selected certificate.

  4. Select OK to save the community.

Install the certificate to FortiGate

To install the certificate to a FortiGate:

  1. Select Install Wizard from the top menu bar.

  2. Select the Policy Package for the spoke FortiGates, and select Next.

  3. Ensure the FortiGates are selected and select Next.

  4. Once the wizard has completed Installation Preparation (Validate Devices, step 3/4), check the enrollment status on the FortiAuthenticator.


  5. Select Install on FortiManager to complete the Install Wizard and certificate deployment.

  6. Repeat the above steps for the HUB FortiGate.

Verification of certificate deployment

Several certificates will now have been successfully deployed using SCEP. To verify the work, examine the FortiManager and FortiGate configuration.

Verification on FortiManager

On the FortiManager, review the dynamic certificate object, and some VPN monitors.

Dynamic certificate object

Navigate to Policy & Objects > Advanced > Dynamic Local Certificate to examine the external_pki certificate. Notice that there are three mappings for the HUB and two branch FortiGates.

You can assign this dynamic certificate to FortiGates without mappings and the SCEP process will automatically generate and deploy a certificate matching the assigned FortiGate.

IPsec VPN map

Review the VPN Manager > IPsec VPN Map > Topology View and Traffic View. Try enabling Show Table on Traffic View, and notice the Peer ID column. This can be easily used to authenticate.

Verification on FortiGate

Review the certificate and configuration on the FortiGate.

Certificate usage

You can verify the certificate on the FortiGate by navigating to VPN > IPsec Tunnels, then double clicking on a tunnel. This shows that a certificate named external_pki was used for authentication.


Certificate details

Review the external_pki certificate being used in the VPN tunnel.

  1. Navigate to System > Certificates (enable Certificates in Feature Visibility if necessary).
  2. Notice that the external_pki exists in the Local Certificates section.
  3. Notice that ca_external_pki exists in the Remote CA Certificate section.

  4. Double-click either or both certificates to review their details.
Previous
Next