I am looking for someone with experience from setting this up. I have Googled tons of doumentation om how to configure this, but have no conclusive answers. Using FAC 4.0 and FOS 5.2.latest.
Basically I have two issues: 1) I'm not 100% sure how SCEP is intended to work. 2) Configuration of the FAC seems non-trivial.
For my first test I just wanted to generate a CA Cert on the FAC import the Cert in the FGT, and *manually* create an IPSec tunnel on the FGT. But the imported Cert is not available in the drop-down box in the P1 configuration. What did I do wrong?
Secondly, attempted to enable SCEP on the tunnel, generate an enrollment form the FGT to the FAC - and see the request as 'Pending' in the FAC. Authorize it in the FAC - and then nothing happens? The Cert is never deployed to the FGT. What have I missed?
Any pointers or tips are greatly appreciated!
Mike,Regarding the manually setup:Do you expect the CA cert to show up in the P1 config?This is not correct. You should see the device cert in the drop-down box.Basic steps are (when using FAC):1 Sync the time on both FGT so they can verify the validity of the certificates2 on the FAC, create a "user" certificate for each FGT3 export the "user" certificates as PKCS#124 export the FAC CA cert (the one used when signing the user certificates)5 import the "user" certificate on the relevant FGT as a "local" cert (type PKCS#12)6 import the CA cert on both FGTUnder "system -> certificates -> external CA certificates" you should see the CA certificate on each FGTUnder "system -> certificates -> certificates you should see the "user" certificate (different one on each FGT)This is also the cert that should be used in your P1 config.RegardsRobby
Many thanks for explainning! I will test this and get back with results as soon as I have them. Once I get the manual way to work, I'll have a look into SCEP and see if I can get it to work as well.
So, I finally got the chance to get this to work - both manually and via SCEP.
However, a question arose during the PoC with the prospect:
Is it possible to manually trigger a renewal request via the Fortigate CLI? I searched the CLI, Admin Guides, Google and what not, but to no avail.
The problem is that if the tunnel is down, the auto-renewal will fail. But remote access to the device is still possible . So either a manual CSR/signing/import would work, but it would be much nicer if it were possible execute a renewal via CLI.
Be sure to enable "Certificates" under "Feature Select --> Certificates".