Skip to Content

Solved: How do I check if a certificate and key belong to a CSR

This article describes how to check if a certificate and key belong to a CSR. In this example, the CSR is created on the FortiGate, and it is signed manually by a 3rd party.

On a FortiGate, the following error will appear in the GUI if a user tries to upload a mismatching certificate:

Certificate file is duplicated for CA/LOCAL/REMOTE/crl cert.

Debug will show the following error:

# diag debug reset
# diag debug console timestamp enable
# diag debug cli 8
# diag debug cmdb-trace 1
# diagnose debug application httpsd -1
# diag debug enable
2022-07-05 11:06:48 [httpsd 14065 - 1657012008 error] cert_import_common_result[7964] -- Import failed due to error: -328

One of the causes is mismatching cert and CSR.

If the CSR, certificate and key are available, the checksums can be checked with openssl to see if they match.

Mismatching cert and CSR example:

[email protected]:~$ openssl x509 -noout -modulus -in /mnt/c/User/lab/cert.cer | openssl md5
(stdin)= c8c5f07c07cfff27c71e8fd1b23e1cd1

[email protected]:~$ openssl req -noout -modulus -in /mnt/c/User/lab/csr.csr | openssl md5
(stdin)= a54a6d75362e6ffdf047f594392ef5e7

Matching cert and CSR example:

[email protected]:~$ openssl x509 -noout -modulus -in /mnt/c/User/lab/1cert_upload_test.local.cer | openssl md5
(stdin)= bf92bdc82b8aff1ad2246af8c4f1be31

[email protected]:~$ openssl req -noout -modulus -in /mnt/c/User/lab/1cert_upload_test.local.csr | openssl md5
(stdin)= bf92bdc82b8aff1ad2246af8c4f1be31

For checking a key, use the following command:

openssl rsa -noout -modulus -in <pathtothekey> | openssl md5


    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.