topic Re: Replace TLS cert in OpenTelemetry/Skyline

Replace TLS cert

Kolafer — Wed, 13 Dec 2023 15:37:20 GMT

Hello all,

did someone already replace the TLS cert in skyline configuration?

The certificate was changed on our Prometheus server.

Is it possible to use the Issuing CA, and not the cert of the Prometheus server, in ther configuration?

"enabled": true,
            "server-auth": {
                "ca-public-key": {
                    "type": "PEM-X509",
                    "value": "<CERTIFICATE>"

Or what would be the best way, if the certificate of Prometheus will replace every 2,5 years?

What are the steps, if we need to replace the cerificate for the Skyline TLS configuration?

Thanks

Re: Replace TLS cert

_Val_ — Mon, 18 Dec 2023 09:23:48 GMT

@Arik_Ovtracht can you please advise?

Re: Replace TLS cert

Elad_Chomsky — Mon, 18 Dec 2023 16:38:08 GMT

Hi @Kolafer , As far as I know the issuer CA should work on the GW itself, so it should prevent you from the need to do redeployment ( Assuming the Prometheus CA is signed by it ).

Regarding automatic deployment of certificates, there are some available solutions outside of CheckPoint, that can be used, but as this is out of scope of the CheckPoint support, I can share them, However I can't recommend to go to one or to the other. For example, CertBot or kubernetes based solutions.

Re: Replace TLS cert

Kolafer — Wed, 20 Dec 2023 23:12:15 GMT

Hello @Arik_Ovtracht ,

can you advise here please?

I created a new payloadjson and add the issuer CA of the Prometheus server, after rerun the configuration again. But still not working.

I can see the certificate was added to the certs/ca-bundle.crt.

br

What are the right steps to replace the certificate on the gateway?

Re: Replace TLS cert

Elad_Chomsky — Thu, 21 Dec 2023 09:03:16 GMT

Hi @Kolafer , Please open a support ticket to CheckPoint, so we can try to assist you directly.