When trying to connect to the Security Management Server a warning read
“The Fingerprint of the server SERVERNAME was changed.”
…. “Do you approve the Fingerprint as valid?”
This message is very typical when you for the first time connect to the SM using SmartConsole, but this particular SM had been operational for quite some time.
When connecting to the SM using SSH there was no prompt for fingerprint change, which at the very least meant there was no MITM going on as far as the SSH-connection was concerned.
The fingerprint seemed to be valid, as checked with the following command:
[Expert@CHKP-SM01:0]# cp_conf finger get

cp_conf finger get
This meants the fingerprint was valid and all was good, the only question which remained was: Why has the fingerprint changed?
Answer: The certificate was past 75% of its life time which, by design, automatically triggers a renewal of the certificate.
A quick check within the ICA could indeed verify the certificate was renewed.
[Expert@CHKP-SM01:0]# cpca_client lscert | grep -A 2 cp_mgmt
Subject = CN=cp_mgmt,O=CHKP-SM01….123abc
Status = Valid Kind = SIC Serial = 7499 DP = 0
Not_Before: Sat Jun 14 22:38:16 2014 Not_After: Fri Jun 14 22:38:16 2019
—
Subject = CN=cp_mgmt,O=CHKP-SM01….123abc
Status = Renewed Kind = SIC Serial = 79678 DP = 0
Not_Before: Wed Sep 15 10:38:14 2010 Not_After: Tue Sep 15 10:38:14 2015
Facts about SIC certificates and fingerprints
- A SIC Cert is valid for 5 years from its creation.
- Internal Certificate (fingerprint) past 75% of its lifetime is automatically renewed
- Other possible reasons for fingerprint change are:
– ICA regenerated (either through corruption or fwm sic_reset).
– Licensing changes.
– IP address or object name of SmartCenter server was changed.
Hope this helps.
Great information, well explained.
is safe to say yes, and approve the new fingerprint? would it affect any of the existing configuration. thanks for your expertise
Hi,
As long as the fingerprint is the same as seen on the firewall itself, using the command cpca_client lscert | grep -A 2 cp_mgmt, then yes.
Also, the certificate has a life time of 5 years, so if it is approximatley 5 years since installation, you are good to go. But you might as well SSH to the firewall and double check.
Accepting the new finger print will not affect your configuration.
–Gos
Thank you very much for this information. It was very accurate and on point!!!
Absolutely on the button – many thanks!
The information was on point. Thank you !!!