i am trying to get a certificate for a cmp client from the FortiAuthenticator (6.6.0).

In beforehand i

• generated a .pem keypair on the cmp client. (openssl genrsa -out key.pem 2048)
• generated CA cert for FAC
• generated server cert for cmp server on the FAC

This the command:

openssl cmp -cmd ir -server http://192.168.1.99/app/cert/cmp2/ -subject /C=Country/ST=State/L=City/O=Company/CN=PFC200/[email protected] -newkey key.pem -certout cert.pem 

Note, that the DN of the subject is actually different, i inserted placeholders.

The problem is, that the cmp client throws the following error:

CMP info: sending IR
CMP info: received ERROR
CMP error: missing protection

I could not find any hints as to how i can resolve the error/what the reason is. Unfortunately i cannot see any log entries in the logs of the FAC to further investigate.

A capture from the answer of the cmp server on the FAC in wireshark reads the following:

• errorDetails: “missing protection”
• failinfo was “BadRequest”: True
• error code: 486539407

Therefore i tried many versions of the abovehand command by

• adding -recipient (DN of the server)
• creating an enrollment request on the FAC an passing the thereby generated passphrase (something like xpbftSv4) with -secret pass:xpbftSv4
• passing a selfsigned certificate and its key on the client side instead of only a key
• passing the -unprotected_requests flag

The only fitting thing i could find regarding the “bad request” error was on this website https://docs.keyfactor.com/ejbca/latest/cmp-error-messages

“Submitting a CMP client mode enrollment request with invalid certificate extensions specified.”

I tried changing the file extensions from -certout cert.pem to .crt or .cer with no success.

So what exactly is meant by the missing protection ?

The whole point of enrolling with the FAC is a scenario in which the devices dont know each other beforehand.

Thanks in advance and kr

I could not add the appropiate tags like “certificate-management-protocol” or “certificate-enrollment-request”.