Support Center > Search Results > SecureKnowledge Details
"Cannot create certificate" error message when cannot enroll user certificate on Endpoint Security VPN client after January 24th 2018
Symptoms

  • Certificate enrollment on Endpoint Security VPN client machine fails with "Cannot create certificate" error message.

  • When adding a new gateway in SmartDashboard, operation fails with "Failed creating certificate. General problem in Certificate Authority." error:

  • Th CPCA debug shows: 
    [cpca PID]@GW[DATE TIME] PrepareTBSCert: no notafter
[cpca PID]@GW[DATE TIME] fwCA::GenerateCert: cannot sign cert
  • When trying to initialize SIC with new objects SmartDashboard shows error : Certificate Authority does not recognize the entity. either the entity has been revoked or does not exist.
  • When trying to revoke and recreate certificate the error shows : error . rc=1 err=-100 General error in Certificate Authority
Cause

Environment: Management Tool User Certificate Validity Period in ICA Tool set to "7300" days

The parameter "Management Tool User Certificate Validity Period" in the ICA Tool represents the amount of time that a user certificate is valid when initiated using the Management Tool.

If the value of this parameter is set to "7300" days (20 years), the CA will not able to add the "not valid after" field of the ToBeSigned certificate created from a template.

Starting on January 2018, the "not valid after" field will exceed the maximum Unix epoch time (January 19, 2038). Due to this, Check Point is setting the certificate expiration date to be equal to the maximum Unix epoch time.


Solution
 Note: To view this solution you need to Sign In .