Troubleshooting Tip: FortiWeb displays 'The imported local certificate is invalid' error

bkashava · ‎12-18-2025

Description

This article explains the conditions under which FortiWeb displays the error message 'The imported local certificate is invalid' or 'The certificate does not match any private key generated on FortiWeb. Please verify that you have the correct certificate file' when importing certificates and clarifies the correct certificate import workflows.

This behavior is commonly observed when an incorrect certificate type is selected during import or when a certificate generated from a FortiWeb-created certificate signing request cannot be associated with its corresponding private key.

Scope

FortiWeb.

Solution

FortiWeb validates certificates differently depending on how the certificate signing request was generated and which certificate import type is selected. The error 'The imported local certificate is invalid' is expected behavior in the scenarios described below.

Scenario 1: Externally generated certificate imported as Local Certificate.

The Local Certificate import type is only supported when the certificate signing request was generated directly on FortiWeb. In this workflow, FortiWeb already stores the private key internally and expects only the signed certificate to be uploaded.

If the certificate signing request was generated externally, such as on a Linux system using OpenSSL, Microsoft Internet Information Services, or a cloud certificate authority, FortiWeb does not have access to the corresponding private key. As a result, FortiWeb cannot validate the certificate and displays the error.

The Local Certificate import type rejects externally generated certificates because no matching private key exists on FortiWeb.

The correct procedure if the certificate signing request was generated externally is to select Certificate and upload both Certificate file and Key file. Go to Server Objects -> Certificates -> Certificate and import both the certificate file and the private key file. Alternatively, if the certificate and private key are packaged as a PKCS#12 bundle, import the file using the PKCS12 Certificate type.

Scenario 2: Certificate name mismatch for FortiWeb-generated certificate signing requests.

When a certificate signing request is generated on FortiWeb, the private key is stored internally and associated with the certificate object name. During certificate import, FortiWeb attempts to associate the uploaded certificate with the stored private key using the certificate file name.

If the returned certificate file name does not match the original certificate signing request object name, FortiWeb cannot associate the certificate with the stored private key and displays the error.

Examples:

Certificate signing request generated on FortiWeb: waf3.fntlab.com.csr.
Incorrectly returned certificate file name: server.crt.
Correct returned certificate file name: waf3.fntlab.com.crt.

The certificate file name must match the original certificate signing request name, excluding the file extension. The Common Name or Subject Alternative Name values do not affect this validation process.

2025-12-17 17_39_44-Invalid Certificate - File Explorer.png

2025-12-17 17_57_06-Draft 2 - File Explorer.png

Related document:

Uploading a server certificate

Troubleshooting Tip: FortiWeb displays 'The imported local certificate is invalid' error

You are leaving our website