First, you must be on the management console. Type:
fw sic_reset
This will wipe your internal CA and stop the firewall. Next, run
"cpconfig" and reinitialize your internal CA. Finally, restart the
firewall (cpstart), and log in. Your GUI should ask you to verify a new
fingerprint.
Warning: you may get the error:
*** Checking IKE Certificates ***
There are IKE Certificates that were generated by the
internal Certificate Authority.
Please remove them (using the Policy Editor) so that
the internal Certificate Authority can be destroyed.
SIC Reset operation could not be completed
This indicates an object(s), most likely your firewall, has an IKE cert
under the VPN tab. You must delete this cert to continue. If you can't
get into the GUI because the cert is boned, you must edit
$FWDIR/conf/objects_5_0.C after stopping the firewall and edit your
firewall object. You will see a "certificates" subsection that looks
like:
:certificates (
: (demone-auth
:AdminInfo (
:chkpf_uid ("{8AD40054-F442-433D-B561-14D7AC7657E2}")
:ClassName (certificate)
)
:"#certreq-pki-gen" (false)
:"#pki-host-cert-set" (false)
:ca (ReferenceObject
:Name (InterSecRoot)
:Table (servers)
:Uid ("{29CF35A6-D330-4D75-B2BE-A1FE45E4B0BB}")
)
:dn ("CN=Administrator,[EMAIL PROTECTED]")
:pkisignkey (177eac7c923f71adc618f6a7)
:status (signed)
:stored.at (management_server)
)
Modify this so it looks like:
:certificates ()
and start your firewall. Try "fw sic_reset" again.
Renata Vincoletto
Siemens Business Service - TS W/Security
tel 55 11 3908-2121
-----Original Message-----
From: Juan Antonio Garza Garza [mailto:[EMAIL PROTECTED]]
Sent: sexta-feira, 26 de abril de 2002 14:31
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] Upgrading Fw-1,Vpn1 4.1 Module to NG
(Sic,certificatealreadyexists)
Thanks Gertraud,
Mhh does anyone know how to revoke an SSLKey from NG's SVN?
Best Regards,
Gertraud Unterreitmeier wrote:
> Hello Juan,
>
> using OpenSSL you can only have one valid Certificate for
> the same name. There you first have to revokate or expire this
> certificate. Might be the same with Checkpoint Certificates.
>
> Regards,
>
> Gertraud
>
> Juan Antonio Garza Garza schrieb:
> >
> > Hi,
> > We had a Fw Managment+Enfocement Module 4.1, and another
> > Enforcment Module (fw-1+vpn1) 4.1.
> >
> > We upgraded to NG FP1 the Managment Module Machine,
> > succesfully.
> > When we are trying to Upgrade the Enforcment, when we try
> > to reconfigure the object with NG FP1, and try to intialize SIC it
> > give us the nex error:
> > A certificate with this name already exists, please specify
> > a different name and try again.
> >
> > Does anyone knows how to correct this?
> >
> > Regards,
> > --
> > Juan Antonio Garza Garza
> > Gerente de STR
> > C I T I
> > Sendero Sur 285 Colonia Contry Monterrey, NL 64860 Mexico Tel (528)
> > 357 2267, ext. / Fax 357 8047
> > Pager: 5105702 tel: 1511111
> > e-mail: [EMAIL PROTECTED]
> > http://www.citi.com.mx
> >
> > =================================================
> > To set vacation, Out Of Office, or away messages,
> > send an email to [EMAIL PROTECTED]
> > in the BODY of the email add:
> > set fw-1-mailinglist nomail
> > =================================================
> > To unsubscribe from this mailing list,
> > please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> > =================================================
> > If you have any questions on how to change your subscription
> > options, email [EMAIL PROTECTED]
> > =================================================
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [EMAIL PROTECTED]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [EMAIL PROTECTED]
> =================================================
--
Juan Antonio Garza Garza
Gerente de STR
C I T I
Sendero Sur 285 Colonia Contry Monterrey, NL 64860 Mexico
Tel (528) 357 2267, ext. / Fax 357 8047
Pager: 5105702 tel: 1511111
e-mail: [EMAIL PROTECTED]
http://www.citi.com.mx
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
As informa��es contidas neste "e-mail" e nos arquivos anexados, s�o para o uso
exclusivo do destinat�rio aqui indicado, e podem conter segredos comerciais, de
propriedade intelectual ou outras informa��es confidenciais, protegidas pelas leis
aplic�veis. Caso n�o seja o destinat�rio correto, esteja notificado, pelo presente,
que qualquer revis�o, leitura, c�pia e/ou divulga��o do conte�do deste "e-mail" s�o
estritamente proibidas e n�o autorizadas. Por favor, apague o conte�do do "e-mail" e
notifique o remetente imediatamente. Obrigado por sua coopera��o.
The information contained in this e-mail and in the attached files are for the
exclusive use of the addressee herein nominated, and may contain trade secrets,
privileged and other confidential information, protected by the applicable laws. In
case you are not the right addressee, you are hereby notified that any reviewing,
reading, copying and/or distributing of this e-mail's content is strictly prohibited
and unauthorized. Please, delete the e-mail's content and notify the sender
immediately. Thank you for your cooperation.
