topic Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029 in General Topics

ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

ProxyOps — Tue, 15 Apr 2025 07:36:42 GMT

Hello Checkmates!

As you may have already heared the CA/Browser Forum has voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029.

We are currently replacing our certificates via cpopenssl yearly by hand but this is no longer feasible when the lifespans willl be reduced every year now until 2029.

Are there already out of the box solutions in the Check Point product suite for protocols like ACME to support auto renewal of certificates in Check Point products?

Best regards

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

PhoneBoy — Tue, 15 Apr 2025 16:40:35 GMT

I know we have REST API support for changing certificates used for HTTPS Inspection as well as some of the certificates on the gateway itself in R82.
That's not ACME support, of course.
I recommend engaging with your local Check Point office with your precise requirements.

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

Alex- — Tue, 15 Apr 2025 17:17:27 GMT

Read about this today too, the changes will be phased as follows:

March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.
March 15, 2027: That lifespan will go down to 100 days.
March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

the_rock — Tue, 15 Apr 2025 23:12:27 GMT

Read about it yesterday, was having hard time believing it was true, but it definitely is.

Andy

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

Nüüül — Wed, 16 Apr 2025 07:15:40 GMT

i second this. would be great to configure multiportal deamon to present ACME certificates and renew them automatically. something completely different from https inspection

Great would be being able to have an option on several portals independent from each other. (perhaps per hostname, instead port) and in smartconsole / mgmt api - like saml-vpn, sslvpn, usercheck and so on.

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

GHaider — Thu, 27 Nov 2025 10:04:41 GMT

i also have taken this to checkpoint support, and they said i should submit a RFE via checkpoint office...

...funny thing is that they don't seem to know there own product, because with R82 API you can already do all the needed certificate settings...

see https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/set-simple-cluster~v2.0.1

for example:

add via api:
mgmt_cli --root true set simple-cluster name "CLUSTER" vpn-settings.certificates.add.name "testcertdeleteme" vpn-settings.certificates.add.certificate-authority "HARICA_TLS_RSA_Root_CA_2021" vpn-settings.certificates.add.enrollment.enrollment-settings.distinguished-name "CN=commonname.com,O=Org,ST=Vienna,C=AT" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.1.name-type "fqdn" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.1.value "3.commonname.com" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.2.name-type "fqdn" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.2.value "firewall.commonname.com"

remove via api:
mgmt_cli --root true set simple-cluster name "CLUSTER" vpn-settings.certificates.remove "cername_exp20251113" ignore-warnings "true"

usercheck portal would be:

mgmt_cli --root true set simple-cluster name "CLUSTER" usercheck-portal-settings.certificate-settings

so if you have the certificate via acme, you can import it via api, at least on R82

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

Nüüül — Thu, 15 Jan 2026 15:31:44 GMT

Thanks mate! will have a look at it shortly

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

ProxyOps — Tue, 31 Mar 2026 07:44:30 GMT

Any news from Check Point regarding the damocles sword with certificate lifespans?
Our certificates from Web SmartConsole now need to be replaced every 7 months and I really hate the idea to do this manual reneweal process every 47 days in 2029.

Is there any strategy / recommendation from Check Point or is every check point customer on its own?

Re: ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

genisis__ — Tue, 31 Mar 2026 08:22:00 GMT

I think its important to note that this challenge is faced by all vendors, so it would logically make sense that all vendors need to update there systems to have a user friendly mechanism to auto renew certificates either via a public CA or Private CA.
From a Checkpoint prospective, there should be a solution that addresses this via SmartConsole and also at GAIA WEBUI level as it is feasible to have a device level certificate.

I'm not sure why a RFE would be needed considering the industry level impact here.

The question here also is if using certificates becomes impractical, then what are the alternatives to safeguard sites and identities.