FortiGate Certificate Import Errors

FortiGate Certificate KB ID 0001791


A colleague messaged me last week because he could not import a certificate on a FortiGate (that had been exported from a Cisco ASA). He was seeing this error;

Fortigate Incorrect Certificate

Incorrect certificate file format for CA/LOCAL/CRL/REMOTE cert.

FortiGate Certificate Problems

A brief Google led me to ask “Is the FortGate licensed or on a Free/Trial license?” As that can produce this error {apparently}. But for us this was not the problem.

This was happening because the ASA (like Windows) exports its certificates in ‘base64‘ encoding and the FortiGate does not like that, so it throws its toys out of the pram. Firstly ENSURE you exported the certificate as a PKCS12¬†file like so,

Export Cisco ASA Certificate with Private Keys

Otherwise the certificate will NOT be exported with its private key, and if you import a certificate into a FortiGate without the private key you will get this error;

Fortigate Certificate is duplicated

Certificate file is duplicated for CA/LOCAL./REMOTE/CRL cert.

We now have a copy of our exported ‘base64 encoded’ certificate. (Note: It has no file extension, don’t panic!) If it was extracted from Windows, it might have a .PFX extension. If yours does, simply use the following commands with that file extension.

Export Cisco ASA Certificate with Private Keys

And put it on a machine that has OpenSSL installed, or if like me you’re a macOS user copy it there, (OpenSSL is installed by default). Firstly we have to decode the extracted certificate;

openssl base64 -in /Users/petelong/Dropbox/PNL-EXPORTED-CERT -d -out /Users/petelong/Dropbox/PNL-DECODED-CERT

Decode Base64 Certificate

Now we have decoded that certificate, we can extract the private key with the following command.

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -nocerts -out /Users/petelong/Dropbox/PNL-PRIVATE-KEY.pem

Certificate Extract Private Key

Then to extract the identity information use the following command.

openssl pkcs12 -in /Users/petelong/Dropbox/PNL-DECODED-CERT -clcerts -nokeys -out /Users/petelong/Dropbox/PNL-IDENTITY-CERT.pem

Certificate Extract identity certificate

Import FortiGate Certificate

Now that you have those TWO files you can import them into your FortiGate, like so.

Import a Cisco ASA Certificate on a Fortigate

Related Articles, References, Credits, or External Links


Author: PeteLong

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *