Technical Tip: Verifying and validating the accuracy of a certificate duplication error message
Description
This article describes how to check and confirm a certificate duplication issue when importing a CA certificate into a FortiGate and getting an error message 'The certificate file is duplicated for CA / LOCAL / REMOTE / CRL certificate' from the GUI.
Solution
Importing a Certificate Authority certificate from GUI can sometime lead to an error message such as 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert' although this certificate does not appear in the list of external Certificate Authority certificates.
For example, assuming user gets a ‘Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert’ error message while importing the following certificate (CA certificate issue by GoDaddy Inc.) and wants to verify this certificate is effectively loaded into the FortiGate despite is does not appear in the list of external Certificate Authority certificates.
In order to verify the certificate is effectively already loaded into the FortiGate, the following procedure must be performed in the CLI:
config vpn certificate ca
(ca) # get <----- List all CA certificates already loaded.
== [ Fortinet_CA ]
name: Fortinet_CA
== [ Fortinet_Wifi_CA ]
name: Fortinet_Wifi_CA
== [ Fortinet_Wifi_CA2 ]
name: Fortinet_Wifi_CA2
== [ GlobalSign_Root_CA ]
name: GlobalSign_Root_CA
== [ GlobalSign_Root_CA_-_R2 ]
name: GlobalSign_Root_CA_-_R2
== [ Entrust.net_Premium_2048_Secure_Server_CA ]
name: Entrust.net_Premium_2048_Secure_Server_CA
/////
== [ certSIGN_Root_CA_G2 ]
name: certSIGN_Root_CA_G2
== [ Trustwave_Global_Certification_Authority ]
name: Trustwave_Global_Certification_Authority
== [ Trustwave_Global_ECC_P256_Certification_Authority ]
name: Trustwave_Global_ECC_P256_Certification_Authority
== [ Trustwave_Global_ECC_P384_Certification_Authority ]
name: Trustwave_Global_ECC_P384_Certification_Authority
(ca) # get | grep Daddy <----- List CA certificates issued by GoDaddy Inc..
== [ Go_Daddy_Class_2_CA ]
name: Go_Daddy_Class_2_CA
== [ Go_Daddy_Root_Certificate_Authority_-_G2 ]
name: Go_Daddy_Root_Certificate_Authority_-_G2
(ca) # get <----- List all CA certificates already loaded.
== [ Fortinet_CA ]
name: Fortinet_CA
== [ Fortinet_Wifi_CA ]
name: Fortinet_Wifi_CA
== [ Fortinet_Wifi_CA2 ]
name: Fortinet_Wifi_CA2
== [ GlobalSign_Root_CA ]
name: GlobalSign_Root_CA
== [ GlobalSign_Root_CA_-_R2 ]
name: GlobalSign_Root_CA_-_R2
== [ Entrust.net_Premium_2048_Secure_Server_CA ]
name: Entrust.net_Premium_2048_Secure_Server_CA
/////
== [ certSIGN_Root_CA_G2 ]
name: certSIGN_Root_CA_G2
== [ Trustwave_Global_Certification_Authority ]
name: Trustwave_Global_Certification_Authority
== [ Trustwave_Global_ECC_P256_Certification_Authority ]
name: Trustwave_Global_ECC_P256_Certification_Authority
== [ Trustwave_Global_ECC_P384_Certification_Authority ]
name: Trustwave_Global_ECC_P384_Certification_Authority
(ca) # get | grep Daddy <----- List CA certificates issued by GoDaddy Inc..
== [ Go_Daddy_Class_2_CA ]
name: Go_Daddy_Class_2_CA
== [ Go_Daddy_Root_Certificate_Authority_-_G2 ]
name: Go_Daddy_Root_Certificate_Authority_-_G2
- Edit the content of the two GoDaddy Inc. certificates and compare with the one user is trying to load in order to verify and validate which one is effectively a duplicate.
Edit the contents of the first certificate:
(ca) # edit Go_Daddy_Class_2_CA
(Go_Daddy_Class_2_CA) # get
name : Go_Daddy_Class_2_CA
ca :
Subject: C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
Issuer: C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
Valid from: 2004-06-29 17:06:20 GMT
Valid to: 2034-06-29 17:06:20 GMT
Fingerprint: 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Subject Key Identifier
Critical: no
Content:
D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
Name: X509v3 Authority Key Identifier
Critical: no
Content:
keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority serial:00
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:TRUE
range : global
source : bundle
trusted : enable
scep-url :
source-ip : 0.0.0.0
- Edit the contents of the second certificate:
(ca) # edit Go_Daddy_Root_Certificate_Authority_-_G2
(Go_Daddy_Root_Ce~_G2) # get
name : Go_Daddy_Root_Certificate_Authority_-_G2
ca :
Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Valid from: 2009-09-01 00:00:00 GMT
Valid to: 2037-12-31 23:59:59 GMT
Fingerprint: 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Basic Constraints
Critical: yes
Content:
CA:TRUE
Name: X509v3 Key Usage
Critical: yes
Content:
Certificate Sign, CRL Sign
Name: X509v3 Subject Key Identifier
Critical: no
Content:
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
range : global
source : bundle
trusted : enable
scep-url :
source-ip : 0.0.0.0
(Go_Daddy_Root_Ce~_G2) # get
name : Go_Daddy_Root_Certificate_Authority_-_G2
ca :
Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Valid from: 2009-09-01 00:00:00 GMT
Valid to: 2037-12-31 23:59:59 GMT
Fingerprint: 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Basic Constraints
Critical: yes
Content:
CA:TRUE
Name: X509v3 Key Usage
Critical: yes
Content:
Certificate Sign, CRL Sign
Name: X509v3 Subject Key Identifier
Critical: no
Content:
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
range : global
source : bundle
trusted : enable
scep-url :
source-ip : 0.0.0.0
Detailed information collected above confirms the Certificate Authority certificate that is being imported is effectively already loaded into the FortiGate and consequently duplicated.
Related article:
Troubleshooting Tip: Fixing the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.'