Issue
The following error appears after a commit or a high severity system log event:
Key generation operation failed - RSA.
Detail of system event:
domain: 1
receive_time: 2014/11/11 09:13:53
serial: 012345678
seqno: 11128
actionflags: 0x0
type: SYSTEM
subtype: general
config_ver: 0
time_generated: 2014/11/11 09:13:53
vsys: vsys1
eventid: general
object:
fmt: 0
id: 0
module: general
severity: high
opaque: Key generation operation failed - RSA
Cause
This error only appears when FIPS (Federal Information Processing Standards 140-2) mode is enabled and:
- Any certificates included inside of that config are 1024 bits or less
- SSH key-based authentication is set to 1024 bits or less for Admin logins
This error is only a notification that the certificates are not FIPS compliant, but they are not service impacting.
Per the Admin Guide, requirements when enabling FIPS mode:
- Self-generated and imported certificates must contain public keys that are 2048 bits or higher.
- SSH key-based authentication must use RSA public keys that are 2048 bits or higher.
Resolution
Any certificates that are inside of the configuration, used or not, need to match the FIPS requirements. Any certificates or SSH Key based authentication need to be 2048 bit or higher.
Contact Palo Alto Networks Support if any assistance is needed to resolve this issue.
owner: jdelio