Description
This article describes a common problem when importing server certificates. An error message is displayed upon importing: 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert'.
Scope
FortiGate.
Solution
Background:
This error occurs when attempting to import a certificate that already exists on the FortiGate firewall, commonly during certificate renewal processes.
Key Points to Understand:
Certificate Container File Types
Description |
File Extension |
Password protection |
File contains both Certificate Chain, Private and Public Keys |
P12 or PFX |
Yes |
Stores Certificates and Certificate Chain |
P7b or P7C |
No |
Base64 Encode Certificate. Typically identified by -----BEGIN CERTIFICATE----- or "-----BEGIN PRIVATE KEY----- |
PEM |
Optional |
Binary Form of Certificate |
DER |
No |
Private Key |
KEY |
Optional |
Certificate signing request |
CSR |
No |
It is possible to obtain the private key material as follows:
If the certificate has been received from an internal certificate authority, the material should also be available.
It may be needed to contact the responsible person or department to obtain the private key.
A special and valid case is: if the certificate has been created by the 'Generate' button on the certificates page on FortiGate, it created a 'certificate signing request' (CSR) which was sent to a certificate authority for signing. Then, only the public key can be received.
This case is special because it should not throw the error message above.
The reason is that the private key has been generated on the FortiGate and was used to generate the CSR.
More information on generating a CSR can be found in the Cookbook Generating a CSR on a FortiGate.
To import the files, select the 'Import' button on the top and select the appropriate file type, PKCS #12 or 'Certificate' for importing the certificate and key file. Choose a descriptive name that would appear in the FortiGate Certificate section.
Examples:
Importing a PKCS #12 bundle (.p12) file:
The CSR generated on FortiGate has a private key stored. Another FortiGate does not have the same private key and cannot match the certificate to a CSR or use it as a Local Certificate.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.