Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Specialist

Corrupted Internal CA?

Hello, when I run this command on SmartManager "fwm printcert -ca internal_ca I get no response back, I believe its to do with the Internal CA missing or something similar.

Its causing issues when trying to enable VPN blade on all our gateways, when trying to generate a cert I get a message back "Failed to get the CA server's certificate"

Any ideas how i can confirm this is the issue and how to fix it?

11 Replies
Highlighted
Employee+
Employee+

Check out this SK for more options: How to determine an SIC Certificate's expiration date 

Alternatively enable the webui for ICA and check that way.

Good luck

Peter !!

0 Kudos
Reply
Highlighted
Admin
Admin

Before anything else, please run the following on your management server:

cpwd_admin list

and make sure your cpd process is up and running

0 Kudos
Reply
Highlighted
Specialist

Interesting, I am not seeing it:

CPVIEWD
CPD
FWD
FWM
STPR
SVR
CPSEAD
CPWMD
CPHTTPD
SMARTLOG_SERVER
DASERVICE
CPSM

Just did a cpstart and its still not showing either. 

0 Kudos
Reply
Highlighted
Admin
Admin

Sorry, a typo, should be cpd. Are you still experiencing the issue after cpstop | cpstart?

0 Kudos
Reply
Highlighted
Specialist

Hello,

No change after stop start, still same error, anything to do with the internal CA seems to fail, also installed latest hotfix to see if it would help but no difference.

If I run this command:

cpca_client lscert -kind SIC | grep -A 2 "CN=cp_mgmt,"

There is a cert that expires in 2021, the o= matches the name of the manager. So so far this all seems ok.. 

0 Kudos
Reply
Highlighted
Admin
Admin

Please open a support request with TAC, thank you

0 Kudos
Reply
Highlighted
Specialist

After a lot of reading, it seems the only option for me is to follow sk108966.

My Default VPN cert is showing as expired 4 years ago, (cpca_client lscert -kind IKE) and I am not able to renew it.

Can anyone give me some real life experience of what resetting the SIC will actually do? Will the firewalls stop passing traffic as soon as I hit that command on the management server? We have firewalls in a cluster can I do this as a hit less procedure?

0 Kudos
Reply
Highlighted
Admin
Admin

Once more, please open a support request. TAC engineer will help you in fixing the issue. The issue may not be related to certificate specifically. It need proper troubleshooting and action plan for resolution. 

Following the standard support procedures is the best and fastest way.

0 Kudos
Reply
Highlighted
Employee+
Employee+

IKE is a different certificate from SIC. Resetting SIC will not resolve IKE certificate issues. Please follow Valeri's recommendation and let support have a look. This does not look anything like a configuration error.

BR

Peter !!

Highlighted
Specialist

Hello TAC have confirmed to reset the SIC on the manager to fix the issue.

I am still not entirely sure what is the impact of doing this, doing it to a cluster can I avoid any outage?

0 Kudos
Reply
Highlighted
Admin
Admin

If you are doing correctly and gradually, impact should be minimal. Ask support to assist you if any doubt. 

0 Kudos
Reply