Support Center > Search Results > SecureKnowledge Details
SmartDashboard crashes when in Security Gateway object trying to enroll certificate with authentication code from subCA
Symptoms
  • SmartDashboard crashes when in Security Gateway object trying to enroll certificate with authentication code from subCA:

    1. Open Security Gateway properties
    2. Go to 'IPSec VPN' pane
    3. Go to 'Repository of Certificates Available to the Gateway' section
    4. Click on 'Add...' button
    5. Enter the relevant certificate information
    6. Click on 'OK'
    7. The 'Generating Signature Keys' window shows: "Bad CA certificate."
    8. At this point, SmartDashboard crashes.
  • After SmartDashboard crashed, it is not possible to connect to Security Management Server with any GUI client (error: 'Connection cannot be initiated') until all Check Point services are restarted on the Security Management Server with 'cpstop;cpstart' commands.

  • After SmartDashboard crashed, output of 'cpwd_admin list' command on Security Management Server shows that FWM process is terminated ("T") and restarted multiple times.

  • FWM process crashes with core dump files.

  • Debug of FWM daemon (per sk86186) shows:

    [FWM PID ...]@HostName[Date Time] fwCRLCache_Get: dp (CN=...,DC=...,DC=...) was not found in memory cache.
    [FWM PID ...]@HostName[Date Time] fwCRLCache_Get_from_dp: dp (CN=...,DC=...,DC=...) was not found in cache (memory).
    [FWM PID ...]@HostName[Date Time] fwFetchCRL_e_With_Reason: CRL was not found in cache. Will fetch it async. 
    [FWM PID ...]@HostName[Date Time] fwCert_ValCerts: Could not retrieve CRL.CN=...,C=...
    [FWM PID ...]@HostName[Date Time] SCEP_validateCerts: Failed to validate the retuned certificates
    [FWM PID ...]@HostName[Date Time] fwm_AutomaticEnrollCb: errmsg=Bad certificate chain in the response.
     AutomaticEnrollSendReply: Bad certificate chain in the response.
    [FWM PID ...]@HostName[Date Time] cpmi_send_sset: session=0x..., id=..., last=1, set=
    (
    	:body (
    		:reason (-91)
    		:error ("Bad certificate chain in the response.")
    		:message ("Certificate operation failed")
    		:operation-ok (false)
    	)
    	:subject (operation-done)
    )
    
Cause
  • Authentication code from subordinate CA could not be used to enroll certificate because the root CA is always used for enrollment regardless of the object you actually chose to enroll with.
  • FWM process crashes when enrolling certificate using SCEP protocol.

Solution
Note: To view this solution you need to Sign In .