https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19382#M14154 <HTML><HEAD></HEAD><BODY><P>The only certs I have are the localhost self signed for the web gui and the HA certs.</P><P></P><P>Scott Thompson</P><P>National Labor Relations Board</P><P>202-273-4097</P></BODY></HTML> Mon, 21 May 2012 19:54:44 GMT LCMember4715 2012-05-21T19:54:44Z https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19380#M14152 <HTML><HEAD></HEAD><BODY><P>enabled FIPS over the weekend now I get the message <SPAN style="font-size: 12.0pt; font-family: &amp;quot;Times New Roman&amp;quot;,&amp;quot;serif&amp;quot;; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA;">: Key generation operation failed - RSA when commiting</SPAN></P></BODY></HTML> Mon, 21 May 2012 19:22:43 GMT https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19380#M14152 LCMember4715 2012-05-21T19:22:43Z https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19381#M14153 <HTML><HEAD></HEAD><BODY><P>Did you use any selfsigned or imported certificates before you enabled FIPS-mode?</P><P></P><P>Since according to the manual (PAN-OS_4.1_CLI_Reference_Guide.pdf, page 305):</P><P></P><P>"</P><P>Appendix C<BR />Federal Information Processing Standards Support</P><P></P><P>You can configure the firewall to support the Federal Information Processing Standards 140-2 (FIPS 140-2), which are used by civilian U.S. government agencies and government contractors.</P><P></P><P>To enable FIPS mode on a software version that supports FIPS, boot the firewall into maintenance mode and then select Set FIPS Mode from the main menu.</P><P></P><P>For instructions on booting to maintenance mode, refer to the PAN-OS Command Line Interface Reference Guide.</P><P></P><P>When FIPS is enabled, the following apply:</P><P></P><P>• To log into the firewall, the browser must be TLS 1.0 compatible.</P><P></P><P>• All passwords on the firewall must be at least six characters.</P><P></P><P>• Accounts are locked after the number of failed attempts that is configured on the Device &gt; Setup &gt; Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out; however in FIPS mode, and lockout time is required.</P><P></P><P>• The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.</P><P></P><P>• Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.</P><P></P><P>• When configuring IPSec, a subset of the normally available cipher suites is available.</P><P></P><P>• Self-generated and imported certificates must contain public keys that are 2048 bits (or more).</P><P></P><P>• SSH key-based authentication must use RSA public keys that are 2048 bits or higher.</P><P></P><P>• The serial port is disabled.</P><P></P><P>• Telnet, TFTP, and HTTP management connections are unavailable.</P><P></P><P>• Surf control is not supported.</P><P></P><P>• High availability (HA) encryption is required.</P><P></P><P>• PAP authentication is disabled.</P><P></P><P>• Kerberos support is disabled.</P><P>"</P></BODY></HTML> Mon, 21 May 2012 19:38:31 GMT https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19381#M14153 mikand 2012-05-21T19:38:31Z https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19382#M14154 <HTML><HEAD></HEAD><BODY><P>The only certs I have are the localhost self signed for the web gui and the HA certs.</P><P></P><P>Scott Thompson</P><P>National Labor Relations Board</P><P>202-273-4097</P></BODY></HTML> Mon, 21 May 2012 19:54:44 GMT https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19382#M14154 LCMember4715 2012-05-21T19:54:44Z https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19383#M14155 <HTML><HEAD></HEAD><BODY><P>What if you extract running-config.xml through GUI and with a texteditor search for "rsa" in that file - any thints here (for example ssh keys or such)?</P></BODY></HTML> Mon, 21 May 2012 20:09:30 GMT https://live.paloaltonetworks.com/t5/general-topics/key-generation-operation-failed/m-p/19383#M14155 mikand 2012-05-21T20:09:30Z