Description
This article describes a common problem when importing server certificates. An error message is displayed upon importing: 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert'.
Scope
FortiGate.
Solution
Background:
This error occurs when attempting to import a certificate that already exists on the FortiGate firewall, commonly during certificate renewal processes.
Key Points to Understand:
- Certificate Structure: Every certificate requires both public and private keys working together. The private key must match the public certificate for proper functionality.
- CSR Signing Process: A Certificate Signing Request (CSR) contains the public key and device information. The Certificate Authority validates and signs the CSR, creating a trusted certificate bound to the original private key
- Original CSR Location: When the Certificate Signing Request was created on a different device, this FortiGate lacks the matching private key that was used during CSR generation.
- Renewal Process Issue: The CA typically provides only the public certificate when renewing the certificate, as the CA assumes the requester has the private key. Also, the CA will create a new CSR using the data it has on the database from he original CSR. Some CA can provide the private key on the renewal.
- Wildcard Certificate Complexity: Wildcard certificates enable authentication across multiple devices; however, each device must possess both the certificate file and its corresponding private key for successful authentication.
- Resolution Required: Import both the renewed certificate AND its private key, or generate a new CSR directly from this FortiGate for future renewals.
- Password: Some certificate containers are protected with a password to read and validate the certificate.
Certificate Container File Types
|
Description |
File Extension |
Password protection |
|
File contains both Certificate Chain, Private and Public Keys |
P12 or PFX |
Yes |
|
Stores Certificates and Certificate Chain |
P7b or P7C |
No |
|
Base64 Encode Certificate. Typically identified by -----BEGIN CERTIFICATE----- or "-----BEGIN PRIVATE KEY----- |
PEM |
Optional |
|
Binary Form of Certificate |
DER |
No |
|
Private Key |
KEY |
Optional |
|
Certificate signing request |
CSR |
No |
It is possible to obtain the private key material as follows:
- The public certificate authority (for example, GlobalSign, Digicert,…) will have the file available as well on the download method CA provided with the certificate.
-
If the certificate has been received from an internal certificate authority, the material should also be available.
It may be needed to contact the responsible person or department to obtain the private key.
-
A special and valid case is: if the certificate has been created by the 'Generate' button on the certificates page on FortiGate, it created a 'certificate signing request' (CSR) which was sent to a certificate authority for signing. Then, only the public key can be received.
This case is special because it should not throw the error message above.
The reason is that the private key has been generated on the FortiGate and was used to generate the CSR.
More information on generating a CSR can be found in the Cookbook Generating a CSR on a FortiGate.
To import the files, select the 'Import' button on the top and select the appropriate file type, PKCS #12 or 'Certificate' for importing the certificate and key file. Choose a descriptive name that would appear in the FortiGate Certificate section.
Examples:
Importing a PKCS #12 bundle (.p12) file:
This is how to import separate files, public certificates, and private keys:
When the CSR is created on the firewall, and it is signed manually, make sure that the cert obtained from the CA is in .cer format, not .crt, and import it as 'Local Certificate'.
To convert the certificate in .crt to .cer refer to:
Otherwise, the same error will be shown: 'Certificate file is duplicated...'.
In case of import issues, contact Fortinet Technical Support.
Note:
The same procedure applies to CA certificates, used for SSL/TLS deep inspection. The private key material is also needed, but it is not available from a public certificate authority. Thus, case 1. will not be applicable; only 2. and 3. would work. Use the internal CA to implement either of them.
When possible, update the existing certificate rather than generate and/or import a new certificate.
Follow this guide to update and renew the existing certificate without the private key.
The same certificate cannot be uploaded as a Local Certificate in multiple FortiGates unless the same private key is used.
The CSR generated on FortiGate has a private key stored. Another FortiGate does not have the same private key and cannot match the certificate to a CSR or use it as a Local Certificate.
Related articles:
