topic Re: Peer certificate verification failed after certificate replacement in General Topics

Peer certificate verification failed after certificate replacement

RemoteUser — Mon, 18 Aug 2025 12:02:36 GMT

Dear Mates,

After replacing the certificate on one Identity Broker cluster and checking the status on the others, all peers show as Connected except for one specific site.

On that site, after the certificate replacement, the command

pdp broker status -e

shows Peer certificate verification failed.

Re: Peer certificate verification failed after certificate replacement

the_rock — Mon, 18 Aug 2025 12:09:54 GMT

Hey bro,

I ran this through chatgpt (for what is worth) and it gave some things that to me, at least, make sense.

Andy

*************

🔎 Common Causes

Mismatched trust chain
- The certificate presented by the peer is not signed by a CA trusted by the PDP.
- Intermediate CA certs missing in the chain.
Expired certificate
- The peer’s certificate has expired.
Wrong CN/SAN
- The peer certificate’s Common Name (CN) or Subject Alternative Name (SAN) does not match the expected hostname/FQDN.
Certificate not yet valid
- Time/date mismatch on one of the machines.
Not installed in proper trust store
- The CA or peer certificate isn’t properly imported into the PDP’s trust store (e.g., $FWDIR/conf/pdp/).

🛠 How to Troubleshoot

Check the certificate directly

pdp broker status -v

(verbose output should show more details about which certificate it is failing to validate)
Verify date/time

date

Ensure both machines (PEP/PDP) have correct NTP sync.
List trusted CAs

pdp broker trust list

Make sure the issuing CA is present.
Reimport the CA certificate
- If missing, import the peer’s CA certificate with:
  
  pdp broker trust add <CA_cert_file>
- Then re-check with:
  
  pdp broker status -e
Check hostname vs CN
- The CN or SAN in the peer certificate must match the hostname you use in pdp broker connect.

Re: Peer certificate verification failed after certificate replacement

ProxyOps — Mon, 18 Aug 2025 13:26:22 GMT

You need to fetch the CERT Fingerprint from the subscriber via $FWDIR/bin/BrokerCertFetcher <IP Address of Subscriber>

it is all described here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topics-IDAG/Identity-Broker-Configuration.htm

you probably will face the Problem on your other PDP Broker as well, when they will check the cert again. Before you fetch the new cert via the mentioned command delete the old .pem

You want to do the whole cert replacement process during a maintenace Window to restart the pdp process the make sure, the other Brokers accept the new cert fingerprint.

best regards

Re: Peer certificate verification failed after certificate replacement

RemoteUser — Mon, 18 Aug 2025 14:26:11 GMT

i already this that > You need to fetch the CERT Fingerprint from the subscriber via $FWDIR/bin/BrokerCertFetcher <IP Address of Subscriber>
the issue was solved becuase in the identity_broker.C the subject was wrong i dont know why?
After fixed this one, now it's solved.