topic Re: Migrate VPN Certificate in Firewall and Security Management

Migrate VPN Certificate

GSallin — Tue, 21 Feb 2023 14:48:02 GMT

I have a question.

My customer is currently using a virtual GW as VPN GW, the VPN users have to authenticate themselves with a certificate.

The customer wants to replace his GW with a new one (new release), is it possible to migrate the certificate from the old GW to the the new one?

Thank you

Re: Migrate VPN Certificate

G_W_Albrecht — Tue, 21 Feb 2023 15:05:02 GMT

Why not update the existing GW to the new release ? This would keep everything...

Re: Migrate VPN Certificate

GSallin — Tue, 21 Feb 2023 15:06:18 GMT

Because he want to restart from scratch with a new one

Re: Migrate VPN Certificate

G_W_Albrecht — Tue, 21 Feb 2023 15:12:28 GMT

Not possible without TAC afaik.

Re: Migrate VPN Certificate

PhoneBoy — Tue, 21 Feb 2023 15:16:26 GMT

In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.

More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.

Re: Migrate VPN Certificate

the_rock — Tue, 21 Feb 2023 15:22:59 GMT

Hey @GSallin

Not sure if it is possible, but below discussion might be helpful:

https://community.checkpoint.com/t5/Management/quot-unknown-quot-certificate-on-management-server/m-p/164407#M32920

Andy

Re: Migrate VPN Certificate

PointOfChecking — Tue, 15 Aug 2023 13:53:50 GMT

Hi Phone Boy,

We have 2 GWs, a 3800 (R80.40) and an 1800 (R80.20.50).

According to your comment, can I use the same certificate to connect to different GW's VPN if they use the same MGMT (Same CA)?

I have tried, but in the logs (after vpn debug ikeon), I see the below in the smart logs:

It's strange, it can see the correct DN, but shows "user DN unknown" and for the key install it shows "invalid certificate".

Any ideas please?

I also tried to create a new client certificate and enroll that one to the other GW, but still fails. (i.e. one client certificate per gw per user)

Re: Migrate VPN Certificate

PhoneBoy — Tue, 15 Aug 2023 21:45:56 GMT

Suggest involving the TAC to troubleshoot this: https://help.checkpoint.com

Re: Migrate VPN Certificate

Chris_Atkinson — Tue, 15 Aug 2023 22:27:15 GMT

Please also note that R80.20.x will be EOL in Oct-23, please refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#embedded-security