"Cannot create certificate" error message when cannot enroll user certificate on Endpoint Security VPN client after January 24th 2018

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk122874
Technical Level
Product	Endpoint Security Server, Endpoint Security VPN
Version	R77.30, R80.10, R80.20
Date Created	09-Feb-2018
Last Modified	07-May-2019

Symptoms

Certificate enrollment on Endpoint Security VPN client machine fails with "Cannot create certificate" error message.
When adding a new gateway in SmartDashboard, operation fails with "Failed creating certificate. General problem in Certificate Authority." error:

Th CPCA debug shows:

[cpca PID]@GW[DATE TIME] PrepareTBSCert: no notafter
[cpca PID]@GW[DATE TIME] fwCA::GenerateCert: cannot sign cert

When trying to initialize SIC with new objects SmartDashboard shows error : Certificate Authority does not recognize the entity. either the entity has been revoked or does not exist.
When trying to revoke and recreate certificate the error shows : error . rc=1 err=-100 General error in Certificate Authority

Cause

Environment: Management Tool User Certificate Validity Period in ICA Tool set to "7300" days

The parameter "Management Tool User Certificate Validity Period" in the ICA Tool represents the amount of time that a user certificate is valid when initiated using the Management Tool.

If the value of this parameter is set to "7300" days (20 years), the CA will not able to add the "not valid after" field of the ToBeSigned certificate created from a template.

Starting on January 2018, the "not valid after" field will exceed the maximum Unix epoch time (January 19, 2038). Due to this, Check Point is setting the certificate expiration date to be equal to the maximum Unix epoch time.

Solution

Note: To view this solution you need to Sign In .