Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pjang
Staff
Staff

Created on ‎02-09-2025 10:14 PM

Article Id 375401

Technical Tip: FortiGate in FIPS-CC mode cannot import certificate if root/intermediate CA certificates are missing

Description This article describes a known restriction that occurs when importing end-entity certificates onto the FortiGate while FIPS-CC mode is enabled. 
Scope FortiGate, FIPS-CC.
Solution

When FIPS-CC mode is enabled, FortiOS does not allow administrators to import an end-entity certificate if the Root and Intermediate certificates (if any) used to sign the certificate are missing on the FortiGate.

This is a known restriction imposed as part of NDcPP v2.2e (FIA_X509_EXT.3.2) requirements while in FIPS-CC mode, whereas non-FIPS-enabled FortiGates do not have this restriction.

 

For example, consider the following example:

  • An administrator creates a Certificate Signing Request (CSR) on the FortiGate, exports it, and provides the CSR to a private Certificate Authority (CA) server.
  • The private CA signs the CSR and provides a certificate file. The administrator takes this file and attempts to import it onto the FortiGate.

 

If the administrator attempts to do this in the Web GUI, an error message will be received stating 'CRL/certificate file doesn't have matched CA imported'.

 

To resolve this, the full certificate chain must be imported to the FortiGate. This includes the Root CA certificate as well as any Intermediate CA certificates used to sign the FortiGate certificate. To do this:

 

  1. In the Web GUI, navigate to System -> Certificates.
    • If the section is not present on the FortiGate then go to System -> Feature Visibility and toggle on Additional Features -> Certificates.
  2. Select Create/Import, then select CA Certificate.
  3. Change the Type to File (if uploading a CA certificate file from the local computer), then use the Upload option to locate the CA certificate file on the local computer.

Once the CA certificates have been imported, the end-entity certificate for the FortiGate will be able to be imported (Create/Import -> Certificate).

 

While this scenario generally occurs with private Certificate Authorities (i.e. owned/operated within a private business), it can still occur with well-known public Certificate Authorities on occasion (i.e. the FortiGuard Certificate Bundle provided to the FortiGate could be missing the root/intermediate CA certificates required).

In those cases, CA certificate files can frequently be retrieved directly from the Certificate Authority over the Internet.

 

Related links:

DigiCert Trusted Root Authority Certificates

GoDaddy Certificate Repository

 

Related articles:

Technical Tip: FortiOS FIPS Resource List

Technical Tip: Unable to import remote certificate to FIPS-CC enabled FortiGate for SAML authentica...
164
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.