i am trying to get a certificate for a cmp client from the FortiAuthenticator (6.6.0).
In beforehand i
- generated a .pem keypair on the cmp client. (openssl genrsa -out key.pem 2048)
- generated CA cert for FAC
- generated server cert for cmp server on the FAC
This the command:
openssl cmp -cmd ir -server http://192.168.1.99/app/cert/cmp2/ -subject /C=Country/ST=State/L=City/O=Company/CN=PFC200/[email protected] -newkey key.pem -certout cert.pem
Note, that the DN of the subject is actually different, i inserted placeholders.
The problem is, that the cmp client throws the following error:
CMP info: sending IR
CMP info: received ERROR
CMP error: missing protection
I could not find any hints as to how i can resolve the error/what the reason is. Unfortunately i cannot see any log entries in the logs of the FAC to further investigate.
A capture from the answer of the cmp server on the FAC in wireshark reads the following:
- errorDetails: “missing protection”
- failinfo was “BadRequest”: True
- error code: 486539407
Therefore i tried many versions of the abovehand command by
- adding -recipient (DN of the server)
- creating an enrollment request on the FAC an passing the thereby generated passphrase (something like xpbftSv4) with -secret pass:xpbftSv4
- passing a selfsigned certificate and its key on the client side instead of only a key
- passing the -unprotected_requests flag
The only fitting thing i could find regarding the “bad request” error was on this website https://docs.keyfactor.com/ejbca/latest/cmp-error-messages
“Submitting a CMP client mode enrollment request with invalid certificate extensions specified.”
I tried changing the file extensions from -certout cert.pem to .crt or .cer with no success.
So what exactly is meant by the missing protection ?
The whole point of enrolling with the FAC is a scenario in which the devices dont know each other beforehand.
Thanks in advance and kr
I could not add the appropiate tags like “certificate-management-protocol” or “certificate-enrollment-request”.