Description
This article describes how to check and confirm a certificate duplication issue when importing a CA certificate into a FortiGate and getting an error message 'The certificate file is duplicated for CA / LOCAL / REMOTE / CRL certificate' from GUI.
Solution
Importing a Certificate Authority certificate from GUI can sometime lead to an error message such as 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert' although this certificate does not appear in the list of external Certificate Authority certificates.
This article describes how to check and confirm a certificate duplication issue when importing a CA certificate into a FortiGate and getting an error message 'The certificate file is duplicated for CA / LOCAL / REMOTE / CRL certificate' from GUI.
Solution
Importing a Certificate Authority certificate from GUI can sometime lead to an error message such as 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert' although this certificate does not appear in the list of external Certificate Authority certificates.
For example, assuming user gets a ‘Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert’ error message while importing the following certificate (CA certificate issue by GoDaddy Inc.) and wants to verify this certificate is effectively loaded into the FortiGate despite is does not appear in the list of external Certificate Authority certificates.
In order to verify the certificate is effectively already loaded into the FortiGate, the following procedure has to be done from CLI.
1) Edit the content of the two GoDaddy Inc. certificates and compare with the one user is trying to load in order to verify and validate which one is effectively a duplicate.
# config vpn certificate ca
(ca) # get <----- List all CA certificates already loaded.
== [ Fortinet_CA ]
name: Fortinet_CA
== [ Fortinet_Wifi_CA ]
name: Fortinet_Wifi_CA
== [ Fortinet_Wifi_CA2 ]
name: Fortinet_Wifi_CA2
== [ GlobalSign_Root_CA ]
name: GlobalSign_Root_CA
== [ GlobalSign_Root_CA_-_R2 ]
name: GlobalSign_Root_CA_-_R2
== [ Entrust.net_Premium_2048_Secure_Server_CA ]
name: Entrust.net_Premium_2048_Secure_Server_CA
/////
== [ certSIGN_Root_CA_G2 ]
name: certSIGN_Root_CA_G2
== [ Trustwave_Global_Certification_Authority ]
name: Trustwave_Global_Certification_Authority
== [ Trustwave_Global_ECC_P256_Certification_Authority ]
name: Trustwave_Global_ECC_P256_Certification_Authority
== [ Trustwave_Global_ECC_P384_Certification_Authority ]
name: Trustwave_Global_ECC_P384_Certification_Authority
(ca) # get | grep Daddy <----- List CA certificates issued by GoDaddy Inc..
== [ Go_Daddy_Class_2_CA ]
name: Go_Daddy_Class_2_CA
== [ Go_Daddy_Root_Certificate_Authority_-_G2 ]
name: Go_Daddy_Root_Certificate_Authority_-_G2
1) Edit the content of the two GoDaddy Inc. certificates and compare with the one user is trying to load in order to verify and validate which one is effectively a duplicate.
Edit the contents of the first certificate:
2) Edit the contents of the second certificate:
(ca) # edit Go_Daddy_Class_2_CA
(Go_Daddy_Class_2_CA) # get
name : Go_Daddy_Class_2_CA
ca :
Subject: C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
Issuer: C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
Valid from: 2004-06-29 17:06:20 GMT
Valid to: 2034-06-29 17:06:20 GMT
Fingerprint: 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Subject Key Identifier
Critical: no
Content:
D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
Name: X509v3 Authority Key Identifier
Critical: no
Content:
keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority serial:00
Name: X509v3 Basic Constraints
Critical: no
Content:
CA:TRUE
range : global
source : bundle
trusted : enable
scep-url :
source-ip : 0.0.0.0
2) Edit the contents of the second certificate:
(ca) # edit Go_Daddy_Root_Certificate_Authority_-_G2Detailed information collected above confirms the Certificate Authority certificate that is being imported is effectively already loaded into the FortiGate and consequently duplicated.
(Go_Daddy_Root_Ce~_G2) # get
name : Go_Daddy_Root_Certificate_Authority_-_G2
ca :
Subject: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Issuer: C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Valid from: 2009-09-01 00:00:00 GMT
Valid to: 2037-12-31 23:59:59 GMT
Fingerprint: 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
Root CA: Yes
Version: 3
Serial Num:
00
Extensions:
Name: X509v3 Basic Constraints
Critical: yes
Content:
CA:TRUE
Name: X509v3 Key Usage
Critical: yes
Content:
Certificate Sign, CRL Sign
Name: X509v3 Subject Key Identifier
Critical: no
Content:
3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE
range : global
source : bundle
trusted : enable
scep-url :
source-ip : 0.0.0.0
