Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
skrymi
Staff
Staff

Created on ‎05-02-2023 02:02 AM

Article Id 254763

Troubleshooting Tip: 'Certificate is not a CA file' when importing a CA certificate in FortiGate

Description

This article describes how to fix an issue where, when trying to import a CA certificate on FortiGate, the error 'Certificate is not a CA file' appears.
Scope FortiGate, LDAP server.
Solution

When importing CA certificates in FortiGate, certificates issued must be from a trusted Certificate Authority and this CA certificate must be usable on demand in the server side. For example, when using an LDAP server to authenticate external users.

 

The following error may sometimes appear:

 

kb1.png

 

This certificate is a .cer certificate, but the error still occurs. The certificate can be decrypted to verify if it is a a root CA by checking whether it has the basic constraints extension set to cA=True and the keyUsage extension is keyCertSign.

 

The cA=True value indicates the certificate is a CA certificate and the keyUsage=keyCertSign value indicates that the certificate corresponding private key is permitted to sign certificates. For example, consider the following certificates:

 

1) Certificate 'xxxxxxxxxxx.cer':

 

2.5.29.15: Flags = 1(Critical), Length = 4

Key Usage

Digital Signature, Key Encipherment (a0)

     

2) Certificate 'yyyyyyyyyy.cer':

 

Certificate Extensions: 5

2.5.29.15: Flags = 0, Length = 4

Key Usage

Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

 

Certificate 'xxxxxx.cer' cannot be imported on FortiGate because FortiGate does not know to trust this certificate, but 'yyyyyyy.cer' can be imported and can be used as a CA certificate for user authentication on the server side.

This can be seen under the key usage certificate signing, which indicates that this is a CA certificate (issued by a trusted Certificate Authority). To have a secure connection between FortiGate and the server side, a CA certificate should be installed that verifies the server certificate.

 

kb2.png

After successfully importing a CA certificate on FortiGate, the use of that certificate can be verified on the server side. For testing, an LDAP server is chosen to demonstrate this case.

 

CA_Cert_1 is a root certificate imported on FortiGate, and the same certificate CA_Cert_1 will be chosen on the LDAP server. After that, an attempt can be made to authenticate with a remote user and test the connectivity.

 

The Connection Status should show as Successful:

 

kb3.png

 

kb4.jpg
3154
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.