Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] Generation of the internal CA certificate failed.

from Matthias Leu [Permanent Link]
Subject: Re: [FW-1] Generation of the internal CA certificate failed.
From: Matthias Leu <mleu AT AERASEC DOT DE>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Mon, 28 Mar 2005 11:29:19 +0200 
Firewall Administrator wrote:

Greetings!
I am running NG AI R54 on a Solaris 8 SmartCenter.
Just recently, when I created a new firewall (Checkpoint Gateway) network 
object I got the following error related to the ICA:
"The generation of the internal CA certificate failed.
This node will not be able to perform certain VPN-1 operations that require this 
certificate."
I can manually create the certificate by clicking on the object for the new 
firewall.  But what could cause this to stop working?
Any suggestions on how to resolve this would be greatly appreciated.  I have a 
"clone" of my production firewall manager and I tried using cpconfig to 
re-create the Internal CA, but even after making that change, it still fails to create 
the CA when I define a firewall network object.
TIA,
TJ


Hi,
is it the first Firewall object you are going to create after having
upgraded  from 4.x to R54? And, did you create a CA for 4.x before? I
saw this error message some times, when the CA of 4.x hasn't been
removed before upgrading to NG. Both CA's seem not to be compatible.
What happens if you want to generate a certificate for a User or an
Administrator? Does the same error message appear?
Afaik, there is only one possibility to solve this problem by resetting
the ICA completely by the command "fw sic_reset" on the SmartCenter.
Be careful, because this command destroys the whole ICA and all related
certificates are invalid...
Hope it helps,
best regards,
Matthias
http://www.fw-1.de
--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] NG AI vs. VPN-1 Edge X-16..., Ray
Next by Date:  [FW-1] SIC between SmartCenter and Enforcement Modules with SmartCenter behind a NAT device, cisco4ng
Previous by Thread:  [FW-1] Generation of the internal CA certificate failed., Firewall Administrator
Next by Thread:  [FW-1] SDL and Cached Credentials WinXP/SecClient R56 HFA-03, Herlaar, D.B.
Indexes:  [Date] [Thread] [Top] [All Lists]