Key generation operation failed

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Key generation operation failed

L0 Member

enabled FIPS over the weekend now I get the message : Key generation operation failed - RSA when commiting


L6 Presenter

Did you use any selfsigned or imported certificates before you enabled FIPS-mode?

Since according to the manual (PAN-OS_4.1_CLI_Reference_Guide.pdf, page 305):


Appendix C
Federal Information Processing Standards Support

You can configure the firewall to support the Federal Information Processing Standards 140-2 (FIPS 140-2), which are used by civilian U.S. government agencies and government contractors.

To enable FIPS mode on a software version that supports FIPS, boot the firewall into maintenance mode and then select Set FIPS Mode from the main menu.

For instructions on booting to maintenance mode, refer to the PAN-OS Command Line Interface Reference Guide.

When FIPS is enabled, the following apply:

• To log into the firewall, the browser must be TLS 1.0 compatible.

• All passwords on the firewall must be at least six characters.

• Accounts are locked after the number of failed attempts that is configured on the Device > Setup > Management page. If the firewall is not in FIPS mode, it can be configured so that it never locks out; however in FIPS mode, and lockout time is required.

• The firewall automatically determines the appropriate level of self-testing and enforces the appropriate level of strength in encryption algorithms and cipher suites.

• Non-FIPS approved algorithms are not decrypted and are thus ignored during decryption.

• When configuring IPSec, a subset of the normally available cipher suites is available.

• Self-generated and imported certificates must contain public keys that are 2048 bits (or more).

• SSH key-based authentication must use RSA public keys that are 2048 bits or higher.

• The serial port is disabled.

• Telnet, TFTP, and HTTP management connections are unavailable.

• Surf control is not supported.

• High availability (HA) encryption is required.

• PAP authentication is disabled.

• Kerberos support is disabled.


The only certs I have are the localhost self signed for the web gui and the HA certs.

Scott Thompson

National Labor Relations Board


What if you extract running-config.xml through GUI and with a texteditor search for "rsa" in that file - any thints here (for example ssh keys or such)?

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!