topic Re: SSL Certificate renew and backup in Firewall and Security Management

SSL Certificate renew and backup

starmen2000 — Fri, 08 Sep 2023 17:10:56 GMT

Hi mates,

Quick question. We want to renew the SSL certificate on the gateway. It is displayed on the firewall properties on the platform portal tab. We have generated CRT file and private key file for new certificate. Now it is ready for renewal. Question is, if something goes wrong, once new certificate is installed, how can we get back to current certificate? As I know, we need private key file of current certificate. But we do not have it. How can I find private key of current certificate files on gateway and export it in case of rollback?

Thanks

Re: SSL Certificate renew and backup

the_rock — Fri, 08 Sep 2023 17:18:47 GMT

Maybe this answers your question...

Andy

https://community.checkpoint.com/t5/Management/secret-key-on-smart-1/m-p/161914#M32589

Re: SSL Certificate renew and backup

starmen2000 — Fri, 08 Sep 2023 17:53:44 GMT

Actually I could not find the exact answer related my answer.

Re: SSL Certificate renew and backup

the_rock — Fri, 08 Sep 2023 17:58:50 GMT

I meant the part I highlighted.

Andy

Short answer: the gateway has the private key, both have the public key.
This is consistent with how the RSA cryptosystem works, which is the basis for IPsec VPN, TLS, SIC, and others.

VPN Certificates come from the Internal Certificate Authority (ICA), which exists on the management and is based on the
Whether it's a device separate from the gateway or the same device (i.e. locally managed) doesn't matter.

When a Check Point gateway is first installed, it generates a unique private key, which is then signed by the ICA when SIC is established.
Much like when you issue a Certificate Signing Request for a certificate to a public CA for a website, the ICA does not need to know the gateway's private key in order to sign the certificate.

We do not provide a mechanism to export private keys from the gateway.
It is trivial (and more secure) to generate a new keypair signed by the same Certificate Authority as before.

Re: SSL Certificate renew and backup

starmen2000 — Fri, 08 Sep 2023 18:02:46 GMT

In this case, an important point comes to my mind, if something goes bad while replacing the current certificate, how can I revert to the old certificate? Without private key file of the current existing certificate on the gateway is it possible to rollback?

Re: SSL Certificate renew and backup

the_rock — Fri, 08 Sep 2023 18:26:15 GMT

Thats probably question for TAC, better get an official CP answer. Personally and this is just me. sounds like it might be possible to do it from Guidbedit, but honestly, its just educated guess.

Andy

Re: SSL Certificate renew and backup

PhoneBoy — Sat, 09 Sep 2023 01:49:57 GMT

You might be able to do so with a database revision on the management, but you would have to roll back the entire configuration to the desired point.