FortiGate Certificate Import Errors

FortiGate Certificate KB ID 0001791

Problem

A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;

Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.

FortiGate Certificate Problems

A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.

This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12 file like so,

Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;

Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.

We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.

And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;

[box]

openssl base64 -in /Users/petelong/Dropbox/PNL-EXPORTED-CERT -d -out /Users/petelong/Dropbox/PNL-DECODED-CERT

[/box]

Now we have decoded that certificate, we can extract the private key with the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -nocerts -out /Users/petelong/Dropbox/PNL-PRIVATE-KEY.pem

[/box]

Then to extract the identity information use the following command.

[box]

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -clcerts -nokeys -out /Users/petelong/Dropbox/PNL-IDENTITY-CERT.pem

[/box]

Import FortiGate Certificate

Now that you have those TWO files you can import them into your FortiGate, like so.

Related Articles, References, Credits, or External Links

NA

Citrix NetScaler – ‘Certificate is not a server certificate’

KB ID 0001191 

Problem

While attempting to bind a certificate to a Virtual Server on my NetScaler this happened;

Error
Certificate is not a server certificate

 

Solution

Before you proceed, delete the problem certificate to avoid confusion!

I had generated this certificate with Microsoft Certificate Services, and I had made a wildcard certificate like so;

Certificate Services – Create a ‘Wildcard Certificate’

Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.

Open the certificate on a Windows machine  > Install Certificate.

Select ‘Local Machine’  > Next.

Manually put the certificate in the ‘Personal’ container > OK > Next.

Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.

Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.

Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).

Export as PKCS 12 (PFX) > Next.

Set a password, (you will need this in a minute, so don’t forget it) > Next.

Save the exported cert with a pfx extension > Next.

OK

Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.

So now you should have two exported certificates like this;

Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.

Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.

Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.

 

Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.

You can now assign this certificate without error.

 

Related Articles, References, Credits, or External Links

NA