FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff
Article Id 270971
Description This article describes an issue where, while uploading the certificate, the error 'Basic constraints is absent for CA/LOCAL/REMOTE cert' appears.
Scope FortiGate.
Solution
  1. When uploading a certificate, the following error 'Basic constraints is absent for CA/LOCAL/REMOTE cert' appears.

 

certttt.PNG

 

  1. A different extension has been tried, but the issue still occurs.
  2. CSR is generated from FortiGate and the third-party authority for the certificate is OpenSSL.
  3. In order to fix the issue, it is necessary to disable the FIPS-Mode on the FortiGate.
  4. Check the status of FIPS-Mode in the CLI:

get sys status
Challenger-kvm94 # get system status
Version: FortiGate-VM64-KVM v7.4.0,build2360,230509 (GA.F)
Security Level: 1
Virus-DB: 1.00000(2018-04-09 18:07)
Extended DB: 1.00000(2018-04-09 18:07)
Extreme DB: 1.00000(2018-04-09 18:07)
AV AI/ML Model: 0.00000(2001-01-01 00:00)
IPS-DB: 6.00741(2015-12-01 02:30)
IPS-ETDB: 6.00741(2015-12-01 02:30)
APP-DB: 6.00741(2015-12-01 02:30)
INDUSTRIAL-DB: 6.00741(2015-12-01 02:30)
IPS Malicious URL Database: 1.00001(2015-01-01 01:01)
IoT-Detect: 0.00000(2022-08-17 17:31)
Serial-Number: FGVM02TM21000113
License Status: Valid
VM Resources: 1 CPU/2 allowed, 1991 MB RAM
Log hard disk: Available
Hostname: Challenger-kvm94
Private Encryption: Disable
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: enable <----- FIPS-CC.
Current HA mode: standalone
Branch point: 2360
Release Version Information: GA
FortiOS x86-64: Yes
System time: Tue Aug 29 14:40:45 2023
Last reboot reason: warm reboot

 

  1. The console connection is necessary to disable the FIPS. To import a certificate with FIPS, it is necessary to specify the constraint value on the certificate as follows.
  2. To learn more about constraints and how they are used, refer to this Microsoft Tech Community document.

 

  • Constraints in certificates are rules that define how a certificate can be used. They include aspects like whether the certificate can act as a Certificate Authority, how its key can be used, what purposes it is valid for (like encryption or authentication), and restrictions on names and policies. These rules ensure certificates are used securely and appropriately within a system.

 

  1. To disable the FIPS, consult Technical Tip: How to enable FIPS-CC mode.


Note:

  • The FortiGate is running in FIPS-CC mode, which has strict checking and requires basic constraints for importing certificates. It will not allow importing a certificate without those constraints in place. As the FIPS mode is a more strict mode, it does not let the user import a certificate without the basic constraint option on any version. 'Basic constraints' is an actual configurable option that is required to be set on the certificate before it can be uploaded to FortiGate.
  • Enabling FIPS enforces strict security standards. The error encountered, 'Basic constraints absent for CA/LOCAL/REMOTE cert', means that the uploaded certificate lacks the necessary Basic Constraints extension. This extension is crucial for certificates used as Certificate Authorities or for local/remote authentication in FIPS setups. Without it, the certificate does not meet FIPS requirements, causing the error.