Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎06-27-2019 05:47 AM Edited on ‎11-04-2024 06:00 AM By Community Manager

Article Id 196187

Troubleshooting Tip: Fixing the error 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert.'

Description


This article describes a common problem when importing server certificates. An error message is displayed upon importing: 'Certificate file is duplicated for CA/LOCAL/REMOTE/CRL cert'.
This situation can happen when trying to import a certificate that should be used on the FortiGate to allow the FortiGate to identify itself to another end, for example IPSec signatures or HTTP(S) Web server certificates for the Administrative Web Interface (GUI) but also the SSLVPN interface of the FortiGate.
This issue may arise when the certificate has been freshly set or after replacing an existing one. Certificates expire and cannot be renewed. Certificates need to be replaced in order to provide the functionality.

 

Scope

 

FortiGate.

Solution


Background:

To identify itself to a remote device, the FortiGate needs a unique set of data that:

  • is only available to the FortiGate (or server),
  • cannot be faked, and
  • is in the user's control.


This data set is provided by certificates. Certificates are always created with 'public' and 'private' key pair.

This pair of keys belongs together and cannot be used with other pairs. 

  • Public key is available for everyone, like certificates of Root Certificate Authorities which are included in the system certificate store for example.
  • Private key is the unique set of data only available to that same entity that uses it for signing data. Signatures cannot be faked, but data signed with a private key can be verified with the matching public key.


Troubleshooting:

The error message occurs when trying to import a certificate without private key material.

When a certificate is created the private key is included, so the entity that provided the certificate will have this material as well.

This is often supplied either in a pair, that is as crt/cer (public) and .key file (private) or with a p12 as bundle file.

Note:

Both types can be password protected, but are not necessarily. Software dealing with such files will still request a password for importing/reading, even when there is none.

Be sure to receive the password from the provider as well.

If there is none, leave the password field blank when importing.

It is possible to obtain the private key material as follows:

  1. The public certificate authority (for example GlobalSign, Digicert,…) will have the file available as well on the download method CA provided with the certificate.

  2. If the certificate has been received from an internal certificate authority, the material should also be available.

    It may be needed to contact the responsible person or department to obtain the private key.

  3. A special and valid case is: if the certificate has been created by the 'Generate' button on the certificates page on the FortiGate, it created a 'certificate signing request' (CSR) which was sent to a certificate authority for signing. Then, only the public key can be received.

    This case is special, because it should not throw the error message above.

    The reason is that the private key has been generated on the FortiGate and was used to generate the CSR. 


More information on generating a CSR can be found in the Cookbook here.

To import the files, select the 'Import' button on the top and select the appropriate file type, PKCS #12 or 'Certificate' for importing certificate and key file. Choose a descriptive name that would appear in the FortiGate Certificate section.

Examples:

Importing a PKCS #12 bundle (.p12) file:

 

Stephen_G_1-1730728451845.png

 

This is how to import separate files, public certificates and private key:
 
Stephen_G_0-1730728428943.png

 

When the CSR is created on the firewall, and it is signed manually, make sure that the cert get from the CA is in .cer format, not .crt, (rename it if necessary) and import it as 'Local Certificate'.
Otherwise, the same error will be shown: 'Certificate file is duplicated...'.
 
In case of import issues, contact Fortinet Technical Support.
 
Note:
The same procedure applies to CA certificates, used for SSL/TLS deep inspection.  The private key material is also needed, but it is not available from a public certificate authority.  Thus case 1) will not be applicable, only 2) and 3) would work. Use the internal CA to implement either of them.
 
When possible, update the existing certificate rather than generating and/or importing a new certificate.
 
Related article:
Labels:
110051
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.