FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mmaubert
Staff
Staff
Description
This article describes how to check and confirm a certificate duplication issue when importing a CA certificate into a FortiGate and getting an error message 'The certificate file is duplicated for CA / LOCAL / REMOTE / CRL certificate' from GUI.

Solution
Importing a Certificate Authority certificate from GUI can sometime lead to an error message such as 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert' although this certificate does not appear in the list of external Certificate Authority certificates.





For example, assuming user gets a ‘Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert’ error message while importing the following certificate (CA certificate issue by GoDaddy Inc.) and wants to verify this certificate is effectively loaded into the FortiGate despite is does not appear in the list of external Certificate Authority certificates.




In order to verify the certificate is effectively already loaded into the FortiGate, the following procedure has to be done from CLI.
# config vpn certificate ca
(ca) # get                               <----- List all CA certificates already loaded.
== [ Fortinet_CA ]
name: Fortinet_CA   
== [ Fortinet_Wifi_CA ]
name: Fortinet_Wifi_CA   
== [ Fortinet_Wifi_CA2 ]
name: Fortinet_Wifi_CA2   
== [ GlobalSign_Root_CA ]
name: GlobalSign_Root_CA   
== [ GlobalSign_Root_CA_-_R2 ]
name: GlobalSign_Root_CA_-_R2   
== [ Entrust.net_Premium_2048_Secure_Server_CA ]
name: Entrust.net_Premium_2048_Secure_Server_CA

/////

== [ certSIGN_Root_CA_G2 ]
name: certSIGN_Root_CA_G2   
== [ Trustwave_Global_Certification_Authority ]
name: Trustwave_Global_Certification_Authority   
== [ Trustwave_Global_ECC_P256_Certification_Authority ]
name: Trustwave_Global_ECC_P256_Certification_Authority   
== [ Trustwave_Global_ECC_P384_Certification_Authority ]
name: Trustwave_Global_ECC_P384_Certification_Authority

(ca) # get | grep Daddy                     <----- List CA certificates issued by GoDaddy Inc..
== [ Go_Daddy_Class_2_CA ]
name: Go_Daddy_Class_2_CA   
== [ Go_Daddy_Root_Certificate_Authority_-_G2 ]
name: Go_Daddy_Root_Certificate_Authority_-_G2   

1) Edit the content of the two GoDaddy Inc. certificates and compare with the one user is trying to load in order to verify and validate which one is effectively a duplicate.

Edit the contents of the first certificate:
(ca) # edit Go_Daddy_Class_2_CA
(Go_Daddy_Class_2_CA) # get
name          : Go_Daddy_Class_2_CA
ca                :
Subject:     C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
Issuer:      C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
    Valid from:  2004-06-29 17:06:20  GMT
    Valid to:    2034-06-29 17:06:20  GMT
    Fingerprint: 91:DE:06:25:AB:DA:FD:32:17:0C:BB:25:17:2A:84:67
    Root CA:     Yes
    Version:     3
    Serial Num:
        00
    Extensions:
        Name:     X509v3 Subject Key Identifier
        Critical: no
        Content:
        D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3

        Name:     X509v3 Authority Key Identifier
        Critical: no
        Content:
        keyid:D2:C4:B0:D2:91:D4:4C:11:71:B3:61:CB:3D:A1:FE:DD:A8:6A:D4:E3
                                   DirName:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority serial:00

        Name:     X509v3 Basic Constraints
        Critical: no
        Content:
        CA:TRUE

range               : global
source              : bundle
trusted             : enable
scep-url            :
source-ip           : 0.0.0.0

2) Edit the contents of the second certificate:
(ca) # edit Go_Daddy_Root_Certificate_Authority_-_G2

(Go_Daddy_Root_Ce~_G2) # get
name           : Go_Daddy_Root_Certificate_Authority_-_G2
ca                 :
Subject:     C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
Issuer:      C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
    Valid from:  2009-09-01 00:00:00  GMT
    Valid to:    2037-12-31 23:59:59  GMT
    Fingerprint: 80:3A:BC:22:C1:E6:FB:8D:9B:3B:27:4A:32:1B:9A:01
    Root CA:     Yes
    Version:     3
    Serial Num:
        00
    Extensions:
        Name:     X509v3 Basic Constraints
        Critical: yes
        Content:
        CA:TRUE

        Name:     X509v3 Key Usage
        Critical: yes
        Content:
        Certificate Sign, CRL Sign

        Name:     X509v3 Subject Key Identifier
        Critical: no
        Content:
        3A:9A:85:07:10:67:28:B6:EF:F6:BD:05:41:6E:20:C1:94:DA:0F:DE

range               : global
source              : bundle
trusted             : enable
scep-url            :
source-ip           : 0.0.0.0
Detailed information collected above confirms the Certificate Authority certificate that is being imported is effectively already loaded into the FortiGate and consequently duplicated.

Contributors