How to handle the VPN-1 certificate after an upgrade from 4.1 to NG?

[roadrunner]

How to handle the VPN-1 certificate after an upgrade from 4.1 to NG?
If you have a problem with an old certificate that is still present after your upgrade from 4.1 to NG you should remove the old certificate from the firewall object and close the object.

It is likely you will not be able to generate a new one. In which case you need to cpstop the VPN-1, run fwm sic_reset and restart the VPN-1 again. Then use cpconfig to create a new CA

After this little exercise you should be able to edit the firewall object and a new certificate will be generated. Which in turn should enable you with a working VPN-1 setup.

If you can not remove the certificate you may have to disable the VPN-1 features that lock the certificate and try again.

If this fails as well you have to stop the VPN-1 completely and remove the certificates and such manually from a number of files. Edit $FWDIR/conf/objects_5_0.C (refer to EditingObjectsDotC for guidelines). Look for the following section :

:certificates (
: (demone-auth
:AdminInfo (
:chkpf_uid ("{8AD40154-F442-433D-B561-14D7AC7657E2}")
:ClassName (certificate)
..........
)
Modify it all so it looks only like this:
:certificates ()
Now start the management console and do an fw sic_reset again.
The upgrade script does take along the certificates generated for Hybrid Mode, but uses it with the new CA. This is listed as a limitation of the upgrade script in the documentation.

The fast way around it:


Record VPN settings of the firewall object.
Remove VPN-1 from the firewall object.
Do SIC reset. (fwm sic_reset)
Recreate the CA. (cpconfig)
Enable VPN-1 on the firewall object and certificate gets created.
Set VPN settings back on the firewall object.
-- PhoneBoy - 01 Jan 2004


FAQForm
FAQs.Class: EncryptionFAQs, InstallAndUpgradeFAQs
FAQs.OS:
FAQs.Version: