topic Re: Renew external (3rd party) certificate for IPSEC VPN in General Topics

Renew external (3rd party) certificate for IPSEC VPN

Gaurav_Pandya — Mon, 10 Feb 2020 16:05:14 GMT

Hi,

I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that,

In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.

Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation.

Is this the method I need to follow?

Can someone please share step-by-step procedure to renew external certificate for VPN?

Re: Renew external (3rd party) certificate for IPSEC VPN

PhoneBoy — Wed, 12 Feb 2020 01:55:29 GMT

You’re talking about IPSEC certificates in one hand but TLS certificates on the other.
Which is it?
In any case, I suspect you will follow the same process you followed to install the third party certificate to begin with.
That may mean recreating the OPSEC CA key (if that changed).

Re: Renew external (3rd party) certificate for IPSEC VPN

Gaurav_Pandya — Fri, 21 Feb 2020 09:36:22 GMT

Hi PhoneBoy,

Thanks for reply.

I am talking about below certificate.

Trusted CA is already generated for this certificate but now it is about to expire so I have to generate new CA? Can you please share steps to renew this certificate?

Re: Renew external (3rd party) certificate for IPSEC VPN

Norbert_Bohusch — Fri, 21 Feb 2020 14:38:20 GMT

You need to remove existing cert, add/create a new one.
By adding a new one you get a CSR to view. Copy this and get it signed by your CA (digicert). Then you complete the CSR with the cert.

Re: Renew external (3rd party) certificate for IPSEC VPN

Gaurav_Pandya — Fri, 21 Feb 2020 14:44:43 GMT

ok. So when I remove cert, that wildcard FQDN will be impacted?

Re: Renew external (3rd party) certificate for IPSEC VPN

PBC_Cyber — Fri, 21 Feb 2020 17:06:26 GMT

Delete the old one and publish the changes but don't do a policy push. After that you can do the CSR and request/install the new cert with little or no downtime.

Re: Renew external (3rd party) certificate for IPSEC VPN

Daniel_Westlund — Mon, 24 Feb 2020 22:08:43 GMT

So we need a no change window for them? Customer expects it to take 2-3 days to get it signed, so no change window for that long? And if they have to make a change, we roll back to a migrate export we'll take before the change?

Re: Renew external (3rd party) certificate for IPSEC VPN

Douglas_Rich — Fri, 18 Sep 2020 19:42:22 GMT

I am too wondering if there is a lengthy time between when the CSR is generated and the Cert is installed if a CRL is checked and the tunnels goes down because the old cert is revoked?

Re: Renew external (3rd party) certificate for IPSEC VPN

dwilliams-dmu — Fri, 14 Jan 2022 15:20:20 GMT

This whole thread is full of really great questions. Questions that I have not seen any good answers to from Checkpoint anywhere. The fact that you can't generate a CSR without a CA is beyond bizarre to me and I can't think of any good reason for that. The additional limitations to having more than one certificate to a "CA object" and not being able to have two identical cert chains referenced in different "CAs objects" make it impossible to use two certificates from the same CA using the same cert chain.

Certificate changes are a routine operational task and it should be as simple as generate a CSR (no need for CA cert chain ahead of time) get the CSR signed by 3rd party, upload signed certificate bundle to complete the installation, and then change the reference to the certificate used for whichever service needs a cert change. None of that should be disruptive in any way and when the certificate reference is changed the new public key and certificate get provided for any connections established after that point. Fallback is as simple as changing the reference back to the old certificate.

I am blown away at how complicated such a simple task is for Checkpoint to pull off.