FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skaneria
Staff
Staff
Article Id 192523

Description


This article describes how to resolve the 'Certificate file is not a CA file' error that occurs when uploading a CA certificate in the firewall.

 

Scope

 

Any version of FortiGate.

Solution


When the CA certificate is uploaded in the firewall as a CA certificate, the firewall may provide an error stating 'Certificate file is not a CA file' even though the certificate shows as a CA certificate.
To upload the certificate in the firewall as a CA certificate, the Basic Constraints parameter in the certificate must state that CA=true.
If this field is not present, the firewall will not accept the certificate as a CA certificate.


See the screenshot below:

 

CA_true.png

 

Note: To decode the CA certificate on the local computer, run the following OpenSSL command:

 

openssl x509 -in ca_certificate_name.crt -text -noout