https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179624#M68586 <P>R81.10 JHF Take 79.<BR />Identity Collector version - R81.040.0000</P><P>I have things currently working after renewing the IPSec VPN self-signed certificate, but I am wondering if I have things setup "right"?&nbsp;The reason I started looking into this was my Access Role was not working. Check Point Identity Collector is installed on two servers. Under the Identity Collector app &gt; Gateways tab it was Disconnected on both. (screenshot taken after fix)<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IdC" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20709i5E7D6FED123EB07C/image-size/large?v=v2&amp;px=999" role="button" title="idc.png" alt="IdC" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">IdC</span></span></P><P>It referenced SK113021 under the Test button -&nbsp;<A href="https://support.checkpoint.com/results/sk/sk113021" target="_blank">Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com)</A>.&nbsp;I went to our cluster IP via a browser after reading that SK and other forum posts. Forum posts led me to read this as well - <A href="https://support.checkpoint.com/results/sk/sk170112" target="_blank">Identity Collector fails to connect to a Security Gateway due to MultiPortal certificate (checkpoint.com).</A><BR />After learning certs could be an issue, I went to my cluster IP via a browser and found out the self-signed certificate expired last month.<BR /><BR />To fix that, I had to re-enable the IPSec VPN blade (I disabled the blade since we aren't using this VPN method) and renewed the certificate and installed the policy. After those steps I was able to hit Test and it Connected fine on the IdC app.&nbsp;<BR /><BR />My questions are: - Does this setup sound correct?&nbsp;<BR />Can the self-signed certificate go longer than 1 year to avoid having to renew manually each year?<BR /><BR />Seems like one drawback of using IDC vs AD Query..</P><P>Thanks for reading!</P> Mon, 01 May 2023 22:59:42 GMT r1der 2023-05-01T22:59:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179624#M68586 <P>R81.10 JHF Take 79.<BR />Identity Collector version - R81.040.0000</P><P>I have things currently working after renewing the IPSec VPN self-signed certificate, but I am wondering if I have things setup "right"?&nbsp;The reason I started looking into this was my Access Role was not working. Check Point Identity Collector is installed on two servers. Under the Identity Collector app &gt; Gateways tab it was Disconnected on both. (screenshot taken after fix)<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="IdC" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20709i5E7D6FED123EB07C/image-size/large?v=v2&amp;px=999" role="button" title="idc.png" alt="IdC" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">IdC</span></span></P><P>It referenced SK113021 under the Test button -&nbsp;<A href="https://support.checkpoint.com/results/sk/sk113021" target="_blank">Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com)</A>.&nbsp;I went to our cluster IP via a browser after reading that SK and other forum posts. Forum posts led me to read this as well - <A href="https://support.checkpoint.com/results/sk/sk170112" target="_blank">Identity Collector fails to connect to a Security Gateway due to MultiPortal certificate (checkpoint.com).</A><BR />After learning certs could be an issue, I went to my cluster IP via a browser and found out the self-signed certificate expired last month.<BR /><BR />To fix that, I had to re-enable the IPSec VPN blade (I disabled the blade since we aren't using this VPN method) and renewed the certificate and installed the policy. After those steps I was able to hit Test and it Connected fine on the IdC app.&nbsp;<BR /><BR />My questions are: - Does this setup sound correct?&nbsp;<BR />Can the self-signed certificate go longer than 1 year to avoid having to renew manually each year?<BR /><BR />Seems like one drawback of using IDC vs AD Query..</P><P>Thanks for reading!</P> Mon, 01 May 2023 22:59:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179624#M68586 r1der 2023-05-01T22:59:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179625#M68587 <P>CP changed cert validity to 1 year I believe back in 2021, used to be 5 years for longest time. I know someone in R&amp;D told me they made that decision, as it is actually industry standars. Btw, you can have VPN blade off and still use IDC, I did that in lab few times.</P> <P>Andy</P> Mon, 01 May 2023 23:09:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179625#M68587 the_rock 2023-05-01T23:09:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179626#M68588 <P>Yeah, I have to renew web certs every year and I guess now this.</P><P>Thanks, I figured as much since it was off beforehand till the cert self-signed cert expired.<BR />I would turn it back off but I guess I'll leave it on to have the certificate renew button visible, so it's not hidden.</P> Mon, 01 May 2023 23:17:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179626#M68588 r1der 2023-05-01T23:17:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179627#M68589 <P>They improved this significantly in R81.20, as it gives warning way before its supposed to expire. I believe its at least 6 months, so gives plenty of time to take care of it.</P> Mon, 01 May 2023 23:50:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179627#M68589 the_rock 2023-05-01T23:50:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179629#M68590 <P>For awareness:</P> <P><A href="https://support.checkpoint.com/results/sk/sk176527" target="_blank">IKE certificate validity period has changed from 5 years to 1 year by default (checkpoint.com)</A></P> Tue, 02 May 2023 01:11:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179629#M68590 Chris_Atkinson 2023-05-02T01:11:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179631#M68591 <P>I remember seeing that sk before Chris, but will try extend validity in the lab tomorrow and see if it works.</P> <P>Cheers,</P> <P>Andy</P> Tue, 02 May 2023 02:07:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179631#M68591 the_rock 2023-05-02T02:07:15Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179720#M68592 <P>Just tried it, worked like a charm. Thanks&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/3630">@Chris_Atkinson</a>&nbsp;<span class="lia-unicode-emoji" title=":thumbs_up:">👍</span><span class="lia-unicode-emoji" title=":thumbs_up:">👍</span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_1.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/20732i23E3264B74234267/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot_1.png" alt="Screenshot_1.png" /></span></P> <P> </P> Tue, 02 May 2023 15:34:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/179720#M68592 the_rock 2023-05-02T15:34:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/180098#M68593 <P>Perfect, thanks! I was able to increase the expiration by 3 years.</P> Fri, 05 May 2023 22:02:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/180098#M68593 r1der 2023-05-05T22:02:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/181517#M68594 <P>I'm still trying to understand this. Do you need the VPN certificate though? It seemed like when it expired IDC stopped working.<BR />I think I'll test Removing the cert from the repository perhaps and see if IDC complains... but not today&nbsp;<span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span>.</P><P>&nbsp;</P><P>Edit: I think the answer is to delete the certificate, after reading this again. Since it is not in use:<BR /><A href="https://support.checkpoint.com/results/sk/sk113021" target="_blank">Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com)</A></P><UL><LI>If you can not "view" the certificate, <STRONG>it needs to be deleted and re-imported or permanently deleted once you have verified its not in use.&nbsp;</STRONG></LI></UL> Fri, 19 May 2023 22:35:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Access-Role-was-not-working-with-expired-self-signed-certificate/m-p/181517#M68594 r1der 2023-05-19T22:35:30Z