Re: [FW-1] Generation of the internal CA certificate failed.

Mon, 28 Mar 2005 02:30:05 -0800

Firewall Administrator wrote: 
Greetings!
I am running NG AI R54 on a Solaris 8 SmartCenter.
Just recently, when I created a new firewall (Checkpoint Gateway) network 
object I got the following error related to the ICA:
"The generation of the internal CA certificate failed.
This node will not be able to perform certain VPN-1 operations that require this 
certificate."
I can manually create the certificate by clicking on the object for the new 
firewall.  But what could cause this to stop working?
Any suggestions on how to resolve this would be greatly appreciated.  I have a 
"clone" of my production firewall manager and I tried using cpconfig to 
re-create the Internal CA, but even after making that change, it still fails to create 
the CA when I define a firewall network object.
TIA,
TJ


Hi,
is it the first Firewall object you are going to create after having
upgraded  from 4.x to R54? And, did you create a CA for 4.x before? I
saw this error message some times, when the CA of 4.x hasn't been
removed before upgrading to NG. Both CA's seem not to be compatible.
What happens if you want to generate a certificate for a User or an
Administrator? Does the same error message appear?
Afaik, there is only one possibility to solve this problem by resetting
the ICA completely by the command "fw sic_reset" on the SmartCenter.
Be careful, because this command destroys the whole ICA and all related
certificates are invalid...
Hope it helps,
best regards,
Matthias
http://www.fw-1.de
--
AERAsec Network Services and Security GmbH
Wagenberger Strasse 1
D-85662 Hohenbrunn, Germany
http://www.aerasec.de

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to