topic Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal in Firewall and Security Management

Checkpoint 790 Appliance - SSL VPN Certificate Renewal

Simon_Macpherso — Fri, 25 Aug 2023 12:42:06 GMT

I need to update an SSL VPN certificate on a Checkpoint 790 Appliance.

I have the pfx file to import generated from Entrust.

I thought the import option would be able to update the existing certificates, but when importing "Certificate already exists" is returned.

To remove the existing certificate, under VPN > Remote Access > Advanced I deselected the existing certificate (cant be deleted if the current certificate is selected). I then deleted the certificate from the table.

When I try to import the new certificate, it still returns "Certificate already installed".

I was thinking it might be the existing Entrust intermediate certificate located under Certificates > Trusted CAs that might also need to be removed before I can import the new certificate.

The import option does not seem to be able to automatically update the existing certificates.

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

the_rock — Fri, 25 Aug 2023 13:03:13 GMT

Can you send a screenshot of it please? I dont ever recall having issue with this in the past.

Andy

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

PhoneBoy — Fri, 25 Aug 2023 13:48:32 GMT

See if you can find the relevant certificate (a .crt file) in one of /pfrm2.0/config1/fw1/conf/ or /pfrm2.0/config2/fw1/conf/
If it's there, I believe it will be safe to remove the file and it should resolve the issue.
If this doesn't resolve the issue, I suggest contacting the TAC.

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

Simon_Macpherso — Mon, 28 Aug 2023 02:21:05 GMT

It seems the PFX in this instance doesn't contain the intermediate certificate - I removed the intermediate certificate from the Trusted CAs table and when trying to import the PFX it returned that the intermediate certificate for the import could not be found. So its not the existing intermediate certificate that is causing the issue.

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

Simon_Macpherso — Mon, 28 Aug 2023 02:26:43 GMT

There are /crt files in /pfrm2.0/config1/fw1/conf/ but the filenames appear encoded.

Are the .crt file names encoded? If so which encoding is used?

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

G_W_Albrecht — Mon, 28 Aug 2023 06:52:03 GMT

Better contact TAC - there is some issue with certificate renewal on SMBs, currently a customer using 1480 experiences a similar problem.

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

G_W_Albrecht — Mon, 28 Aug 2023 08:17:23 GMT

This was suggested by TAC:

1. Take a backup (Important!)

2. Delete trusted CAs
Remove the old certificate. (VPN -> Installed Certificates)
Go to VPN -> Trusted CAs , Delete your certificate.

3. While in expert mode go to '/pfrm2.0/config1/fw1/conf/' directory.
List all the certificates found under that directory by using the command:
[Expert@GW]# ls -ltr | grep crt
You will find a number of certificates that have characters as names [e.g.]:
-rw-r--r-- 1 root root 1050 Jun 27 18:42 c9720cf17d8ae1f993fe0b22.crt
-rw-r--r-- 1 root root 633 Jun 29 12:10 ccf7997d7404c47982732e29.crt
-rw-r--r-- 1 root root 734 Jun 29 12:10 e627755460d5431429e54b6e.crt
-rw-r--r-- 1 root root 645 Jun 29 12:10 f4270c849a7eaef38bef7989.crt
Delete these certificates.
Reboot the appliance and check again.

Please run the following command in expert mode and confirm the status of the convention blade.
#configload_Status

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

PhoneBoy — Mon, 28 Aug 2023 14:33:14 GMT

Not exactly sure how the files are named.
In any case, you will have to review the contents of each file to find the relevant one to remove.
I believe you can use the openssl CLI command to see the contents of these files (though can’t immediately find the correct syntax).

Re: Checkpoint 790 Appliance - SSL VPN Certificate Renewal

Simon_Macpherso — Wed, 30 Aug 2023 23:15:46 GMT

Thanks I haven't performed this procedure yet but the certificate expiry date was the 29th and users are still able to connect, suggesting the certificate was installed even though it didn't return a certificate successfully installed message. Oddly, the certificate also is not displayed in the installed certificates table.