[FW-1] Bad Certificate on NG FP2

Thu, 26 Sep 2002 17:25:53 -0700 

I'm trying to setup SecureClient to NG FP2 that was upgraded from Firewall-1
to FW-1/VPN-1.  I am using Hybrid mode and am receiving an error that IKE
can't establish because of a missing certificate.  I check the internally
derived cert under the FW properties VPN tab.  It exists but the DN is
blank.  Checking objects_5_0.C reveals dn() under the certificate section.
When I attempt to view or delete the cert I receive an error.

Checking InternalCA.NDB via "cpca_dbutil print InternalCA" shows two
certificates shown below (my-fw is the name of the firewall running both the
mgmt server and is the primary enforcement node.)

It seems I have a couple of choices:

1)  Edit objects_5_0.C putting something (but what -- "cn=my-fw vpn
certificate,o=my-fw"?) in as the dn.
2)  Perform a "fwm sic_reset", edit the certificate in objects_5_0.C, and
run cpconfig.  Will this work on a combined Mgmt/enforcement box?

Any other options?  Can anyone compare their InternalCA CN with their
objects_5_0.C file and let me know how/if they match up?

TIA,

-Steve S.


key is 1336748812   Type is : PRIMARY
(
        :Status (1)
        :Kind (0)
        :Certificate (
                :cert (--HIDDEN--)
        )
        :CommonName ("cn=cp_mgmt,o=my-fw..eqsxun")
)
-------------------------------------------------------
key is 1255155147   Type is : PRIMARY
(
        :Status (1)
        :Kind (1)
        :Certificate (
                :cert (--HIDDEN--)
        )
        :CommonName ("cn=my-fw vpn certificate,o=my-fw..eqsxun")
)
-------------------------------------------------------
key is KEY   Type is : SALT
(
        :salt (7092d9de66ef28002560a4c701a42238d4676e5f)
)
[ 6907]@my-fw fwKeyHolder:
[ 6907]@my-fw       Root CAs
[ 6907]@my-fw                1: internal_ca
[ 6907]@my-fw                       O=my-fw..eqsxun
[ 6907]@my-fw       Certified keys
[ 6907]@my-fw                1: certified
[ 6907]@my-fw                       Has Private
[ 6907]@my-fw                       O=my-fw..eqsxun
[ 6907]@my-fw                       Root: internal_ca

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to