Troubleshooting Tip: Unable to Import PKCS#12 Certificate on FortiGate

In some cases, when importing a PKCS#12 certificate to the FortiGate, the following error is received:

'The imported local certificate is invalid.'

For PKCS#12 certificate uploads specifically, with duplicates already existing, the firewall does not say it is a duplicate. It returns the error above instead. 

Check if there are any duplicate existing certificates on the firewall. This can be done by comparing the serial numbers of the existing certificates with those of the one being imported. The serial number of the new certificate can be checked by installing it on a different device. 

If there is a duplicate, then no further action is needed.

Another possible reason for this error is that the certificate file is corrupted. In that case, it has to be procured again from the Certificate Authority on a different device from where it was corrupted in the first place.
The easiest way to check if the certificate is valid and readable is by using OpenSSL. The command for this is as follows:

openssl pkcs12 -in filename.p12 -info

If it succeeds, it will prompt for the password and then output information regarding the cert:

 
Note: OpenSSL is not endorsed or supported by Fortinet. Fortinet TAC can not help with issues directly related to OpenSSL, although it can be helpful to troubleshoot issues. More details on the use of OpenSSL can be seen here:
Technical Tip: Use of openssl to verify certificate format when getting error 'Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert' 
Technical Tip: How to generate certificates using OpenSSL 

If there is no duplicate, see the following article for further troubleshooting steps: Troubleshooting Tip: A guide to FortiGate and certificate issues.