The FortiAuthenticator device contains a SCEP server that can sign user CSRs, and distribute CRLs and CA certificates. To use SCEP, you must:
Users can request a user certificate through online SCEP, found at https://<FortiAuthenticator IP Address>/cert/scep
.
As administrator, you can allow the FortiAuthenticator unit to either automatically sign the user’s certificate or alert you about the request for signature.
To enable SCEP and configure general settings, go to Certificate Management > SCEP > General.
The following settings can be configured:
Select OK to apply any changes you have made.
To view and manage certificate enrollment requests, go to Certificate Management > SCEP > Enrollment Requests.
The following information is available:
Automatic request type | Select the automatic request type, either Regular or Wildcard. | |
Certificate Authority | Select one of the available CAs configured on the FortiAuthenticator unit from the drop-down list. The CA must be valid and current. If it is not you will have to create or import a CA certificate before continuing. See Certificate authorities. |
|
Subject Information | ||
Subject input method | Select the subject input method, either Fully distinguished name or Field-by-field. | |
Subject DN | If the subject input method is Fully distinguished name, enter the full distinguished name of the subject. There should be no spaces between attributes. Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They are case-sensitive. |
|
Field-by-field | If the subject input method is Field-by-field, enter the subject name in the Name (CN) field (if the Automatic request type is set to Regular), and optionally enter the following fields:
|
|
Subject Alternative Name | This option is only available if the Automatic request type is set to Regular. | |
Enter the email address of a user to map to this certificate. | ||
User Principal Name (UPN) | Enter the UPN used to find the user’s account in Microsoft Active Directory. This will map the certificate to this specific user. The UPN is unique for the Windows Server domain. This is a form of one-to-one mapping. | |
Additional Options | ||
Validity period | Select the amount of time before this certificate expires. Select Set length of time to enter a specific number of days, or select Set an expiry date and enter the specific date on which the certificate expires. |
|
Hash algorithm | Select the hash algorithm from the drop-down list, either SHA-1 or SHA-256. | |
Challenge Password | ||
Password creation | Select to either set a random password, or use the default enrollment password (see Default enrollment password). | |
Challenge password distribution | Select the challenge password distribution method. This option is only available if Password creation is set to Set a random password.
|
|
Renewal | To allow renewals, select Allow renewal, then enter the number of days before the certificate expires. |