https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191950#M32158 <P>But the question is, if ICA is automatically renewed, what about VPN certificates and VPN users? Will their connection be affected after ICA auto-renew? Because I can still see the old VPN certificate in the gateway properties.&nbsp;</P> Thu, 07 Sep 2023 18:48:34 GMT starmen2000 2023-09-07T18:48:34Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180606#M30150 <P>Hi All we received this alert since a couple of days that the ICA cert of the SMS will expire in one year. We are using R81.10 at the moment.</P><P>Warning (The Internal Certificate Authority (ICA) certificate will expire on May 5 10:02:29 2024 GMT . To renew it, follow &lt;a href = "<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk158096" target="_blank" rel="noopener">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk158096</A>"&gt;sk158096&lt;/a&gt;)</P><P>So there seems to be a procedure to renew this cert but I am very curious on what would be the impact on the Identity awareness agent.</P><P><EM>"The end user is still able to connect from the VPN client and/or Identity Agents by clicking “Trust and continue” / “Trust” respectively.</EM></P><P><EM>To avoid these warning messages in the first place, we recommend that you publish the renewed fingerprint centrally to all your VPN clients / Identity Agents right after the renewal of the Internal CA certificate.</EM></P><P><EM>Unfortunately, the new fingerprint is generated only when the Internal CA certificate is renewed.</EM></P><P><EM>Note - There is no way to push the new fingerprint before the renewal of the Internal CA certificate"</EM></P><P>I believe the IA agents are using a different certificate which is installed on the gateway so how does that relate to the ICA cert of the SMS?</P><P>We obviously dont want to&nbsp; impact any end user especially the IA agent needs to be connected all the time, could anyone please leave your comments on this?</P><P>&nbsp;</P> Thu, 11 May 2023 09:09:23 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180606#M30150 dehaasm 2023-05-11T09:09:23Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180665#M30164 <P>Different certificate, but it's signed by the same CA (the Internal CA).<BR />Having said that, no previously issued certificates will be invalidated.</P> <P>Not sure how this works with the Identity Agents, unfortunately.</P> Thu, 11 May 2023 19:25:23 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180665#M30164 PhoneBoy 2023-05-11T19:25:23Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180733#M30179 <P>I understand but we need to prevent impacting the IA agents installed on the laptops (new fingerprint popup), should I open a TAC case to investigate?</P> Fri, 12 May 2023 12:14:40 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180733#M30179 dehaasm 2023-05-12T12:14:40Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180767#M30190 <P>I would recommend a TAC case on this, yes.</P> Fri, 12 May 2023 18:29:32 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/180767#M30190 PhoneBoy 2023-05-12T18:29:32Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/181678#M30278 <P><STRONG>NEW</STRONG><SPAN>: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.</SPAN></P><P><SPAN>take 95&nbsp;PRJ-44576,<BR />PMTR-90463</SPAN></P><P><SPAN>this fixed it automatically</SPAN></P> Mon, 22 May 2023 21:15:21 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/181678#M30278 dehaasm 2023-05-22T21:15:21Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191950#M32158 <P>But the question is, if ICA is automatically renewed, what about VPN certificates and VPN users? Will their connection be affected after ICA auto-renew? Because I can still see the old VPN certificate in the gateway properties.&nbsp;</P> Thu, 07 Sep 2023 18:48:34 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191950#M32158 starmen2000 2023-09-07T18:48:34Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191967#M32160 <P>No, it should not.</P> Thu, 07 Sep 2023 20:46:45 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191967#M32160 PhoneBoy 2023-09-07T20:46:45Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191989#M32163 <P>No impact for VPN users. However, VPN users connecting to the gateway where ICA was renewed, will be asked to confirm new fingerprint once ICA is renewed.</P> Fri, 08 Sep 2023 05:40:20 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/191989#M32163 JozkoMrkvicka 2023-09-08T05:40:20Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192001#M32165 <P>What about the Site to Site VPNs, theirs autentication works over Certificate from the same SMS? After ICA changed, what are the best practise steps to make sure the tunnels are working properly?</P> Fri, 08 Sep 2023 08:06:28 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192001#M32165 starmen2000 2023-09-08T08:06:28Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192011#M32166 <P>it is automatically renewed since take 95 take a look at release notes we did it and had no impact with identity awareness nor IPsec VPNs although we don't use VPN remote access on the Check Point</P><P><SPAN class="">NEW</SPAN>: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.</P> Fri, 08 Sep 2023 08:44:36 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192011#M32166 dehaasm 2023-09-08T08:44:36Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192067#M32175 <P>do nothing <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> there is nothing to be worried about S2S VPNs once ICA is renewed. Nothing to do in this area.</P> Fri, 08 Sep 2023 18:29:41 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192067#M32175 JozkoMrkvicka 2023-09-08T18:29:41Z https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192068#M32176 <P>As&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/1702">@JozkoMrkvicka</a>&nbsp;said, no need to worry <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 08 Sep 2023 18:31:46 GMT https://community.checkpoint.com/t5/General-Topics/The-Internal-Certificate-Authority-ICA-certificate-will-expire/m-p/192068#M32176 the_rock 2023-09-08T18:31:46Z