Staff & Editor

Troubleshooting Tip: Fixing the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.'

Forum|Forum|6 years ago
June 27, 2019
0 replies
130379 views

Description

This article describes a common problem when importing server certificates. An error message is displayed upon importing: 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert'.

Scope

FortiGate.

Solution

Background:

This error occurs when attempting to import a certificate that already exists on the FortiGate firewall, commonly during certificate renewal processes.

Key Points to Understand:

Certificate Structure: Every certificate requires both public and private keys working together. The private key must match the public certificate for proper functionality.
CSR Signing Process: A Certificate Signing Request (CSR) contains the public key and device information. The Certificate Authority validates and signs the CSR, creating a trusted certificate bound to the original private key
Original CSR Location: When the Certificate Signing Request was created on a different device, this FortiGate lacks the matching private key that was used during CSR generation.
Renewal Process Issue: The CA typically provides only the public certificate when renewing the certificate, as the CA assumes the requester has the private key. Also, the CA will create a new CSR using the data it has in the database from the original CSR. Some CA can provide the private key on renewal.
Wildcard Certificate Complexity: Wildcard certificates enable authentication across multiple devices; however, each device must possess both the certificate file and its corresponding private key for successful authentication.
Resolution Required: Import both the renewed certificate AND its private key, or generate a new CSR directly from this FortiGate for future renewals.
Password: Some certificate containers are protected with a password to read and validate the certificate.

Certificate container file types:

Description	File Extension	Password protection
File contains both Certificate Chain, Private and Public Keys	P12 or PFX	Yes
Stores Certificates and Certificate Chain	P7b or P7C	No
Base64 Encode Certificate. Typically identified by -----BEGIN CERTIFICATE----- or "-----BEGIN PRIVATE KEY-----	PEM	Optional
Binary Form of Certificate	DER	No
Private Key	KEY	Optional
Certificate signing request	CSR	No

It is possible to obtain the private key material as follows:

The public certificate authority (for example, GlobalSign, DigiCert) will also have the file available for download through the CA-provided method.
If the certificate has been received from an internal certificate authority, the material should also be available.

It may be necessary to contact the responsible person or department to obtain the private key.
A special and valid case is: if the certificate has been created by the 'Generate' button on the certificates page on FortiGate, it created a 'certificate signing request' (CSR) which was sent to a certificate authority for signing. Then, only the public key can be received. This case is special because it should not throw the error message above.

The reason is that the private key was generated on the FortiGate and used to generate the CSR.

More information on generating a CSR can be found in the Cookbook Generating a CSR on a FortiGate.

To import the files, select the 'Import' button at the top and choose the appropriate file type: PKCS #12 or 'Certificate' for importing the certificate and key file. Choose a descriptive name that would appear in the FortiGate Certificate section.

Examples:

Importing a PKCS #12 bundle (.p12) file:

This is how to import separate files, public certificates, and private keys:

When the CSR is created on the firewall, and it is signed manually, make sure that the cert obtained from the CA is in .cer format, not .crt, and import it as 'Local Certificate'.

To convert the certificate in .crt to .cer, refer to this article: Technical Tip: Convert a certificate file from .crt to .cer format.

Otherwise, the same error will be shown: 'Certificate file is duplicated...'.

In the event of import issues, please contact Fortinet Technical Support.

Note:

The same procedure applies to CA certificates, used for SSL/TLS deep inspection. The private key material is also needed, but it is not available from a public certificate authority. Thus, case 1. will not be applicable; only 2. and 3. would work. Use the internal CA to implement either of them.

When possible, update the existing certificate rather than generating and importing a new one. Follow this guide to update and renew the existing certificate without the private key.

The same certificate cannot be uploaded as a Local Certificate in multiple FortiGates unless the same private key is used.

The CSR generated on FortiGate has a private key stored. Another FortiGate does not have the same private key and cannot match the certificate to a CSR or use it as a Local Certificate.

For Muti-VDOMs, when the CSR was generated for one specific VDOM, the signed certificate can only be imported into that VDOM and is only available for that VDOM, since the private key exists only in the VDOM. If it has been imported into Global, the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert..' will pop up.

Related articles:

Technical Tip: SSL/TLS and the use of Digital Certificates

Technical Tip: How to update a local certificate installed on a FortiGate without generating a new CSR

Technical Tip: Procedure for exporting and re-importing a local certificate with a private key