SmartDashboard – The Fingerprint of the server SERVERNAME was changed

When trying to connect to the Security Management Server a warning read
“The Fingerprint of the server SERVERNAME was changed.”
…. “Do you approve the Fingerprint as valid?”

This message is very typical when you for the first time connect to the SM using SmartConsole, but this particular SM had been operational for quite some time.

When connecting to the SM using SSH there was no prompt for fingerprint change, which at the very least meant there was no MITM going on as far as the SSH-connection was concerned.

The Fingerprint of server SERVERNAME was changed

The Fingerprint of server SERVERNAME was changed.

 

The fingerprint seemed to be valid, as checked with the following command:

[Expert@CHKP-SM01:0]# cp_conf finger get

cp_conf finger get

cp_conf finger get

This meants the fingerprint was valid and all was good, the only question which remained was: Why has the fingerprint changed?
Answer: The certificate was past 75% of its life time which, by design, automatically triggers a renewal of the certificate.

 
A quick check within the ICA could indeed verify the certificate was renewed.

[Expert@CHKP-SM01:0]# cpca_client lscert | grep -A 2 cp_mgmt
Subject = CN=cp_mgmt,O=CHKP-SM01….123abc
Status = Valid Kind = SIC Serial = 7499 DP = 0
Not_Before: Sat Jun 14 22:38:16 2014 Not_After: Fri Jun 14 22:38:16 2019

Subject = CN=cp_mgmt,O=CHKP-SM01….123abc
Status = Renewed Kind = SIC Serial = 79678 DP = 0
Not_Before: Wed Sep 15 10:38:14 2010 Not_After: Tue Sep 15 10:38:14 2015

 
Facts about SIC certificates and fingerprints

  • A SIC Cert is valid for 5 years from its creation.
  • Internal Certificate (fingerprint) past 75% of its lifetime is automatically renewed
  • Other possible reasons for fingerprint change are:
    – ICA regenerated (either through corruption or fwm sic_reset).
    – Licensing changes.
    – IP address or object name of SmartCenter server was changed.

Hope this helps.

4.83 avg. rating (96% score) - 6 votes

4 Responses to SmartDashboard – The Fingerprint of the server SERVERNAME was changed

  1. is safe to say yes, and approve the new fingerprint? would it affect any of the existing configuration. thanks for your expertise

    • Hi,

      As long as the fingerprint is the same as seen on the firewall itself, using the command cpca_client lscert | grep -A 2 cp_mgmt, then yes.
      Also, the certificate has a life time of 5 years, so if it is approximatley 5 years since installation, you are good to go. But you might as well SSH to the firewall and double check.

      Accepting the new finger print will not affect your configuration.

      –Gos

Leave a Reply

Your email address will not be published. Required fields are marked *