This article describes how to obtain a certificate using SCEP enrollment with a specific source IP on a FortiGate device.
Scope
FortiGate.
Solution
In some cases, when an SCEP server is accessed over IPsec or when an ACL is configured on it, it may be necessary to specify the source IP on the FortiGate.
With the current implementation on FortiGate, the only way to specify the source IP for SCEP enrollment requests is through the following CLI command:
execute vpn certificate local generate rsa <Local certificate name> <Key size> <Subject> <Country name/code> <State/Province> <City> <Organisation> <Unit> <Email> <SAN> <URL of the CA server signing via SCEP> <Challenge Password> <Source IP>
For example:
execute vpn certificate local generate rsa LAB_Cert 4096 tac.lab.ott CA ON Ottawa Fortinet TAC [email protected] DNS:tac.lab.ott scep.tac.lab/certsrv/mscep/mscep.dll password 10.1.1.1