This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Key generation operation failed

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Key generation operation failed

LCMember4715
L0 Member

‎05-21-2012 12:22 PM

enabled FIPS over the weekend now I get the message : Key generation operation failed - RSA when commiting

0 Likes Likes
3 REPLIES 3

mikand
L6 Presenter

‎05-21-2012 12:38 PM

Did you use any selfsigned or imported certificates before you enabled FIPS-mode?

Since according to the manual (PAN-OS_4.1_CLI_Reference_Guide.pdf, page 305):

"

Appendix C
Federal Information Processing Standards Support

You can configure the firewall to support the Federal Information Processing Standards 140-2 (FIPS 140-2), which are used by civilian U.S. government agencies and government contractors.

To enable FIPS mode on a software version that supports FIPS, boot the firewall into maintenance mode and then select Set FIPS Mode from the main menu.

For instructions on booting to maintenance mode, refer to the PAN-OS Command Line Interface Reference Guide.

When FIPS is enabled, the following apply:

• To log into the firewall, the browser must be TLS 1.0 compatible.

• All passwords on the firewall must be at least six characters.

• Accounts are locked after the number of failed attempts that is configured on the Device > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out; however in FIPS mode, and lockout time is required.

• The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.

• Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.

• When configuring IPSec, a subset of the normally available cipher suites is available.

• Self-generated and imported certificates must contain public keys that are 2048 bits (or more).

• SSH key-based authentication must use RSA public keys that are 2048 bits or higher.

• The serial port is disabled.

• Telnet, TFTP, and HTTP management connections are unavailable.

• Surf control is not supported.

• High availability (HA) encryption is required.

• PAP authentication is disabled.

• Kerberos support is disabled.

"

0 Likes Likes

LCMember4715
L0 Member
In response to mikand

‎05-21-2012 12:54 PM

The only certs I have are the localhost self signed for the web gui and the HA certs.

Scott Thompson

National Labor Relations Board

202-273-4097

0 Likes Likes

mikand
L6 Presenter
In response to LCMember4715

‎05-21-2012 01:09 PM

What if you extract running-config.xml through GUI and with a texteditor search for "rsa" in that file - any thints here (for example ssh keys or such)?

0 Likes Likes
  • 1960 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks