Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nthrzerp
New Contributor

The imported local certificate is invalid

Greetings I used a local W2003 server CA to create my own Root CA and my own self-signed certificate for my FortiWIfi 60B (v4.0,build0185,091020 (MR1 Patch 1) ) SSL VPN. Installed my Root CA and my self-signed cert on the Forti without issue. I was able to link my cert to my SSL VPN config correctly also. And finally I was able to import my Root CA into my client IE Trusted Root Certifications section. I was then fully able to have a trusted SSL VPN session on my remote client via IE. So. I ordered an SSL certificate from DigiCert. Installed the CA piece into my FortiWIfi without issue. Tried to import the SSL certificate via the Local Certificates>Import>Local Certificate function. Nyet. " The imported local certificate is invalid" . I opened both my self-signed and the Digicert one and checked a few odds and ends - both have sha1RSA, public key RSA (2048) and thumbprint algorithm of sha1 stated. Hmmm. So what is this error message trying to tell me? Any ideas?
1 REPLY 1
nthrzerp
New Contributor

Update. Ware self-inflicted errors. After wandering through three layers of Fortinet Tech Support yesterday I/we discovered that the message " The imported local certificate is invalid" was really trying to tell me that I had inadvertently deleted the Pending request for the certifiate I was trying to import. Shame on me. I asked tech support to tweak the message to: " The imported local certificate is invalid - did you perhaps delete the Pending request?" So, just to restate this - 1. Create a Certifiate Signing Request (.csr) using the Local Certificates>Generate option. 2. Download the created .csr file 3. Use the downloaded .csr file during your SSL certificate request with DigiCert, VeriSign or whomever 4. Take your commerical certificate home to your Fortinet device and use the CA Certificates>Import function to import the commercial CA certificate 5. Use the Local Certificates>Import option to import your nifty, new SSL certificate 6. Head over to the VPN>SSL>Config page and indicate your new SSL certificate in the Server Certificate drop down list. You should be good to go. One reason to use a commercial SSL certificate vs. your own home grown/home signed certificate - you do not have to ship the CA piece to your end users and have them install it on their local machines. For example, in IE see Tools>Internet Options>Content>Certificates - look at the Trusted Root Certificates group. DigiCert, CertSign, Entrust, &etc are already there. Patrick
Labels
Top Kudoed Authors