ICA Cert expired? (screenshot inside)

[lostoath]

Can't login with SPLAT.



I've checked clocks on GUI and CLI and they match. Any ideas?
If it's the ICA - how do I renew it through CLI?

[RayPesek]

cpstop & cpstart on the SmartCenter should do the trick. It should auto-renew at 75% of its life, which is five years by default (whatever 75% of 5 is).

You'll get a message that the fingerprint changed, so you should check it against the one displayed by cpconfig on the SmartCenter.

Ray

[adam12345]

ok fixed to problem had to manually remove the certificate from the object_5_.C file and do a FWM_reset_sic and reestabilsh the sic via cpconfig, luckily it's a stand alone installtion :P

[sclausson]

I believe I am having a related issue, and want to be sure that my recently changed fingerprint is due to auto-renew, and not foul play.

RayPesek, where did you find information that the "the ICA cert is set to auto-renew at 75% of its life, which is five years by default." ??

Thanks,
Shayne

[RayPesek]

Some SK article, I don't recall which. It also happened to me 4+ years after the initial installation of the SmartCenter. How long ago was your initial installation?

If you run cpconfig on the SmartCenter, it will show you the current fingerprint, which you can match up.

Ray

[Jay_D]

There is a KB article about enable the ICA management page. There you can see the age of your certificates.

This command enables the ICA management tool:
cpca_client set_mgmt_tool on -no_ssl

now you can browse to http://yourfirewall:18265 and check the certificates

Don't forget to type this afterwards:
cpca_client set_mgmt_tool off

HTH
JD.

[RayPesek]

It would be better to not use -nossl. As I recall, there is more to the setup. You have to generate an administrator certificate for yourself and specify it on the command line so that cert is authorized and used for login and you have to import it into your computer's certificate store.

Ray