Support Center > Search Results > SecureKnowledge Details
Certificate enrollment fails when trying to enroll or renew Endpoint client certificate Technical Level
Symptoms
  • Certificate enrollment fails on the client when trying to enroll a new certificate (ICA certificate).
  • Certificate renewal fails with error "certificate renewal failed”
Cause

When a user tries to renew/enroll a certificate, the Request is being sent to the Gateway from the client.

The Gateway receives the client's request and authorizes it. When the authorization is successful, the Gateway will open a new request to the ICA (Active Management) with "FW1_ica_services" service on port 18264.

  • In some scenarios, when the Check Point Gateway is not located on the same network segment as the Security Management, and another security device is located on the network, between the Gateway and the Management, blocking requests between the Gateway and the Security Management on port 18264, the certificate enrollment will fail and a timeout error will be displayed on the Gateway and Endpoint client.

  • In another scenario, "Accept control connection" and "Accept outgoing packets originating from the Gateway" is not selected, and traffic towards the Security Management is not allowed according to the rule base. Consequently, traffic on service "FW1_ica_services" is dropped on the Gateway, causing the certificate enrollment/renewal to fail.

Solution
Note: To view this solution you need to Sign In .