Fingerprint on SmartCenter changed

[kai11]

last morning our SmartCenter Server was not accessible bye the the GUI-Client. ( Services not up .. ). I did a cpstop / cpstart on the Managment-Server. After that the GUI-Client could reach the server with the following message:
Warning: The Fingerprint on SmartCenter Server changed, the new Fingerprint is "....." , compare the new Fingerprint to the one displayed in the configuration tool on the SmartCenter server.

I compared the Fingerprints, they are the same.
But what has caused the message on the Clients?

thanks for your responses.

[avilT]

Even I faced the same problem today. Can anybody explain the reason for this? Has it got anythng to do with system date? Is there any expiration date for the Managenet server certificate?
Thank You

[melipla]

AFAIK the certificate does not expire. I've never had to do a cpstop / cpstart on my management server so I've never experienced your problem.

The only time I've seen prompts to accept a fingerprint has been when I've reinstalled / upgraded the dashboard on the client.

[sclausson]

I am having the same issue today. I am the only administrator of the SmartCenter Server, and i know I did not change anything. Did you ever find an answer as to why your fingerprint changed?

[RayPesek]

The SmartCenter cert has a lifetime of five years. When you reboot it or run a cpstop/cpstart and it is within 20% of 25% of the end of its life, it will auto-renew and you'll see what you're seeing.

Ray

[kaldek]

I just witnessed a problem where the certificate expired on a combined management/gateway bundle for NG FP3 (Windows), where it was also used for SecureClient VPN.

Before the certificate was able to be renewed, we had to remove Public/Private Key authentication from the traditional mode IKE settings tickbox, at which point a new certificate was able to be generated.

[Jay_D]

This is something all NG customers will encounter when their firewall is 5 years old.
There are 3 internal certificates that will get renewed. We have some sites where we have to reboot the firewall and others where it isn't necessary and even others with a bigger problem (I'll post my issue in another thread).

If your SecureClient users get a message about a cert expired, then it's the VPN Certificate which you can renew in the GUI starting from R60 (button Renew). This button is not available in R55. There you have to delete the cert and create a new one. Of course deleting will not work when VPN is already configured so you first have to uncheck all that.

If you get a fingerprint change when connecting to the SmartCenter, then it's because the management cert has changed. Sometimes this requires rebooting.

I hope this info helps.