FortiManager will install all CA certs imported in Policy & Objects by default. However, there are cases where the following error will occur:

Using below debug command will show which certificate is duplicated at the ADOM level:

dia de app securityconsole 255

dia de en

#SECURITY_CONSOLE: (1) [Bezza-kvm17[copy] root] Start copying policy to devdb, device(Bezza-kvm17), vdomid(root) (reason:none
SECURITY_CONSOLE: (1) Using mm method.
SECURITY_CONSOLE: Installing endpoint-control fctems
SECURITY_CONSOLE: Installing endpoint-control fctems completed - 7 entries installed, 0 errors
SECURITY_CONSOLE: Installing system replacemsg-group
SECURITY_CONSOLE: Installing system replacemsg-group completed - 0 entries installed, 0 errors
SECURITY_CONSOLE: Installing authentication setting
SECURITY_CONSOLE: Installing authentication setting completed - 1 entries installed, 0 errors
TCL error(This CA certificate is duplicated.).
obj vpn certificate ca
auto-update-days:0
auto-update-days-warning:0
ca:-----BEGIN CERTIFICATE-----
MIIFgzCCA2ugAwIBAgIUdg5LbHdYbgS3cgZ2/tZADiqrAvIwDQYJKoZIhvcNAQEL
---
vyKioic7j38Dc741NJwnB73vERgHDlY=
-----END CERTIFICATE-----
ca-identifier:
last-updated:0
name:ca-cert-1
obsolete:disable
range:vdom
scep-url:
source:user
source-ip:0.0.0.0
ssl-inspection-trusted:enable

Imported CA certificates can be inspected individually to identify the duplicated CA certificate:

To resolve this, delete ca-cert-1, which has the same certificate content as ca-cert, run a policy package installation and load the Install Preview to confirm that FortiManager is now trying to install ca-cert to FortiGate: