Technical Tip: How to check if a certificate and key belong to a CSR

In this example, the CSR is created on the FortiGate, and it is signed manually by a 3rd party.

On a FortiGate, the following error will appear in the GUI if a user tries to upload a mismatching certificate:

Certificate file is duplicated for CA/LOCAL/REMOTE/crl cert.

Debug will show the following error:

# diag debug reset
# diag debug console timestamp enable
# diag debug cli 8
# diag debug cmdb-trace 1
# diagnose debug application httpsd -1
# diag debug enable
...
2022-07-05 11:06:48 [httpsd 14065 - 1657012008 error] cert_import_common_result[7964] -- Import failed due to error: -328
...

One of the causes is mismatching cert and CSR.

If the CSR, certificate and key are available, the checksums can be checked with openssl to see if they match.

Mismatching cert and CSR example:

User@123:~$ openssl x509 -noout -modulus -in /mnt/c/User/lab/cert.cer | openssl md5
(stdin)= c8c5f07c07cfff27c71e8fd1b23e1cd1

User@123:~$ openssl req -noout -modulus -in /mnt/c/User/lab/csr.csr | openssl md5
(stdin)= a54a6d75362e6ffdf047f594392ef5e7

Matching cert and CSR example:

User@123:~$ openssl x509 -noout -modulus -in /mnt/c/User/lab/1cert_upload_test.local.cer | openssl md5
(stdin)= bf92bdc82b8aff1ad2246af8c4f1be31

User@123:~$ openssl req -noout -modulus -in /mnt/c/User/lab/1cert_upload_test.local.csr | openssl md5
(stdin)= bf92bdc82b8aff1ad2246af8c4f1be31

For checking a key, use the following command:

openssl rsa -noout -modulus -in <pathtothekey> | openssl md5

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fixing-the-error-Certificate-file-is/ta-p/196187