Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎06-27-2019 05:47 AM Edited on ‎03-20-2025 11:59 PM By Community Manager

Article Id 196187

Troubleshooting Tip: Fixing the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.'

Description


This article describes a common problem when importing server certificates. An error message is displayed upon importing: 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert'.

cc.png

 

This situation can happen when trying to import a certificate that should be used on the FortiGate to allow the FortiGate to identify itself to another end, for example, IPSec signatures or HTTP(S) Web server certificates for the Administrative Web Interface (GUI) but also the SSL VPN interface of the FortiGate.
This issue may arise when the certificate has been freshly set or after replacing an existing one. Certificates expire and cannot be renewed. Certificates need to be replaced to provide the functionality.

 

Scope

 

FortiGate.

Solution


Background:

To identify itself as a remote device, the FortiGate needs a unique set of data that:

  • Is only available to the FortiGate (or server),
  • Cannot be faked, and,
  • Is in the user's control.


This data set is provided by certificates. Certificates are always created with 'public' and 'private' key pairs.

This pair of keys belong together and cannot be used with other pairs. 

  • Public key is available for everyone, like certificates of Root Certificate Authorities which are included in the system certificate store for example.
  • The private key is the unique set of data only available to the same entity that uses it for signing data. Signatures cannot be faked, but data signed with a private key can be verified with the matching public key.


Troubleshooting:

The error message occurs when trying to import a certificate without private key material.

When a certificate is created the private key is included, so the entity that provided the certificate will have this material as well.

This is often supplied either in a pair, that is as crt/cer (public) and .key file (private), or with a p12 as a bundle file.

Note:

Both types can be password protected, but are not necessarily. Software dealing with such files will still request a password for importing/reading, even when there is none.

Be sure to receive the password from the provider as well.

If there is none, leave the password field blank when importing.

It is possible to obtain the private key material as follows:

  1. The public certificate authority (for example GlobalSign, Digicert,…) will have the file available as well on the download method CA provided with the certificate.

  2. If the certificate has been received from an internal certificate authority, the material should also be available.

    It may be needed to contact the responsible person or department to obtain the private key.

  3. A special and valid case is: if the certificate has been created by the 'Generate' button on the certificates page on FortiGate, it created a 'certificate signing request' (CSR) which was sent to a certificate authority for signing. Then, only the public key can be received.

    This case is special because it should not throw the error message above.

    The reason is that the private key has been generated on the FortiGate and was used to generate the CSR. 


More information on generating a CSR can be found in the Cookbook Generating a CSR on a FortiGate.

To import the files, select the 'Import' button on the top and select the appropriate file type, PKCS #12 or 'Certificate' for importing the certificate and key file. Choose a descriptive name that would appear in the FortiGate Certificate section.

Examples:

Importing a PKCS #12 bundle (.p12) file:

 

Stephen_G_1-1730728451845.png

 

This is how to import separate files, public certificates, and private keys:
 
Stephen_G_0-1730728428943.png

 

When the CSR is created on the firewall, and it is signed manually, make sure that the cert obtained from the CA is in .cer format, not .crt,  and import it as 'Local Certificate'.
To convert the certificate in .crt to .cer refer to:

Otherwise, the same error will be shown: 'Certificate file is duplicated...'.
 
In case of import issues, contact Fortinet Technical Support.
 
Note:
The same procedure applies to CA certificates, used for SSL/TLS deep inspection.  The private key material is also needed, but it is not available from a public certificate authority. Thus case 1. will not be applicable, only 2. and 3. would work. Use the internal CA to implement either of them.
 
When possible, update the existing certificate rather than generate and/or import a new certificate.
Follow this guide to update and renew the existing certificate without the private key
 
The same certificate cannot be uploaded as a Local Certificate in multiple FortiGates unless the same private key is used.

The CSR generated on FortiGate has a private key stored. Another FortiGate does not have the same private key and cannot match the certificate to a CSR or use it as a Local Certificate.

 

Related article:
Labels:
118811
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.