This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2025-08-18 05:02 AM
Jump to solution

Peer certificate verification failed after certificate replacement

Dear Mates,

After replacing the certificate on one Identity Broker cluster and checking the status on the others, all peers show as Connected except for one specific site.

On that site, after the certificate replacement, the command

pdp broker status -e


shows Peer certificate verification failed.

0 Kudos
1 Solution

Accepted Solutions
RemoteUser
Advisor
‎2025-08-18 07:26 AM
In response to ProxyOps
Jump to solution

i already this that > You need to fetch the CERT Fingerprint from the subscriber via $FWDIR/bin/BrokerCertFetcher <IP Address of Subscriber>
the issue was solved becuase in the  identity_broker.C the subject was wrong i dont know why?
After fixed this one, now it's solved.

View solution in original post

0 Kudos
3 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-08-18 05:09 AM
Jump to solution

Hey bro,

I ran this through chatgpt (for what is worth) and it gave some things that to me, at least, make sense.

Andy

*************

 

🔎 Common Causes

  1. Mismatched trust chain

    • The certificate presented by the peer is not signed by a CA trusted by the PDP.

    • Intermediate CA certs missing in the chain.

  2. Expired certificate

    • The peer’s certificate has expired.

  3. Wrong CN/SAN

    • The peer certificate’s Common Name (CN) or Subject Alternative Name (SAN) does not match the expected hostname/FQDN.

  4. Certificate not yet valid

    • Time/date mismatch on one of the machines.

  5. Not installed in proper trust store

    • The CA or peer certificate isn’t properly imported into the PDP’s trust store (e.g., $FWDIR/conf/pdp/).

🛠 How to Troubleshoot

  1. Check the certificate directly

     
    pdp broker status -v

    (verbose output should show more details about which certificate it is failing to validate)

  2. Verify date/time

     
    date

    Ensure both machines (PEP/PDP) have correct NTP sync.

  3. List trusted CAs

     
    pdp broker trust list

    Make sure the issuing CA is present.

  4. Reimport the CA certificate

    • If missing, import the peer’s CA certificate with:

       
      pdp broker trust add <CA_cert_file>

    • Then re-check with:

       
      pdp broker status -e

  5. Check hostname vs CN

    • The CN or SAN in the peer certificate must match the hostname you use in pdp broker connect.

Best,
Andy
0 Kudos
ProxyOps
Contributor
‎2025-08-18 06:26 AM
Jump to solution

You need to fetch the CERT Fingerprint from the subscriber via $FWDIR/bin/BrokerCertFetcher <IP Address of Subscriber>

 

it is all described here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_IdentityAwareness_AdminGuide/Topic...

 

you probably will face the Problem on your other PDP Broker as well, when they will check the cert again. Before you fetch the new cert via the mentioned command delete the old .pem

You want to do the whole cert replacement process during a maintenace Window to restart the pdp process the make sure, the other Brokers accept the new cert fingerprint. 

best regards

RemoteUser
Advisor
‎2025-08-18 07:26 AM
In response to ProxyOps
Jump to solution

i already this that > You need to fetch the CERT Fingerprint from the subscriber via $FWDIR/bin/BrokerCertFetcher <IP Address of Subscriber>
the issue was solved becuase in the  identity_broker.C the subject was wrong i dont know why?
After fixed this one, now it's solved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events