topic Re: How are you keeping up with Check Point VPN/SIC Certificates in General Topics

How are you keeping up with Check Point VPN/SIC Certificates

Heath — Wed, 01 Oct 2025 15:27:23 GMT

Our process is very manual and we've missed some recently with VPN certificates being renewed. How are others tracking and renewing Check Point VPN/SIC certificates?

Re: How are you keeping up with Check Point VPN/SIC Certificates

Bob_Zimmerman — Wed, 01 Oct 2025 15:45:02 GMT

I've never tracked SIC certs. They should renew on their own.

VPN certs should too, but I keep getting alerts about VPN cert expiration on firewalls which have never even had the VPN feature enabled. Not sure how best to deal with those.

Re: How are you keeping up with Check Point VPN/SIC Certificates

Heath — Wed, 01 Oct 2025 15:52:15 GMT

We did find in the documentation where the SIC certs renew at 75% validity. The problem we have is I guess you have to push policy for that to take upon the auto-renewal. We have remote static un-manned sites where the firewalls are pretty much set it and forget it. So we've had issues in the past and try to track those just to make sure it doesn't happen. Of course, all manual.

Re: How are you keeping up with Check Point VPN/SIC Certificates

CaseyB — Wed, 01 Oct 2025 16:13:07 GMT

I have not found a good way, but the current method I use is:

After upgrading SMS - policy push all gateways

I upgrade frequently enough that I generally catch all the certificate warnings in the policy push.

Re: How are you keeping up with Check Point VPN/SIC Certificates

Bob_Zimmerman — Wed, 01 Oct 2025 16:42:16 GMT

My team has scripted pushes of basically every policy to the corresponding firewall. The idea is we don't want some change lurking for months to bite us just as we need to push policy to deal with some emergency.

It should be possible to script something with 'cpca_client lscert -kind SIC -stat Valid'. Dealing with the multi-line output would probably be the most irritating part.

Re: How are you keeping up with Check Point VPN/SIC Certificates

Alex- — Wed, 01 Oct 2025 18:31:09 GMT

Unless I missed something, VPN certs don't auto-renew. On systems without VPN this is done by enabling IPSEC VPN, renew it, then disabling the blade, publish and install, on systems which care about them this is done by renewing it manually in the blade section as well.

There's an SK about this, also referencing another relatively recent tool to renew: https://support.checkpoint.com/results/sk/sk178304

As there's no apparent added value to keep an expired certificate, I agree they should renew themselves by default and be distributed by the management station.

Re: How are you keeping up with Check Point VPN/SIC Certificates

Duane_Toler — Wed, 01 Oct 2025 19:31:22 GMT

Yep. Here's what I did:

# I use Nagios . /usr/lib/nagios/plugins/utils.sh check_ike_certs() { cert_block="" cert_host="" cert_time="" cert_host_regex="^Subject = CN=(.*) VPN Certificate" cert_time_regex="Not_After: (.*)" declare -A cert_list # associative array of "cert_host = cert_time" declare -a cert_host_list # to hold sorted list of cert hosts while read cert_block; do if [[ ${cert_block} =~ ^$ ]]; then if [ -n "${cert_host}" -a -n "${cert_time}" ]; then cert_list[${cert_host}]="${cert_time}" fi cert_block="" cert_host="" cert_time="" else if [[ ${cert_block} =~ ${cert_host_regex} ]]; then cert_host=${BASH_REMATCH[1]} elif [[ ${cert_block} =~ ${cert_time_regex} ]]; then cert_time=${BASH_REMATCH[1]} else continue fi fi done <<<$(cpca_client lscert -stat Valid -kind IKE;echo " "; echo) #Add artificial blank line as EOF for the while loop # sort the associate array keys to a natural list read -a cert_host_list <<<$( for c_host in "${!cert_list[@]}"; do echo $c_host done |sort -f |xargs) for c_host in "${cert_host_list[@]}"; do check_cert_time $c_host "${cert_list[$c_host]}" done # check exit status against bitwise code and exit accordingly if (( ${exitstatus} )); then echo "${status_msg} | ${perf_msg}" if (( ${exitstatus} & 4 )); then exitstatus="UNKNOWN" elif (( ${exitstatus} & 2 )); then exitstatus="CRITICAL" elif (( ${exitstatus} & 1 )); then exitstatus="WARNING" fi else echo "IKE certificates are OK | ${perf_msg}" exitstatus="OK" fi } # deal with $exitstatus however you want.

Re: How are you keeping up with Check Point VPN/SIC Certificates

Duane_Toler — Wed, 01 Oct 2025 21:47:14 GMT

You probably need that check_cert_time() function, too:

check_cert_time() { local cert_host=$1 local cert_time=$2 #echo "--${cert_host}--, --${cert_time}--" cert_tm=$(date +"%s" -d "${cert_time}" 2>/dev/null) if (( $? )); then exitstatus=${STATE_UNKNOWN} status_msg="Error processing certificate status (cert_host: ${cert_host})" echo ${status_msg} exit ${exitstatus} fi #echo "date now: ${DATE_NOW}" cert_days=$(( (${cert_tm} - ${DATE_NOW}) / 86400 )) #echo "cert_days: ${cert_days}" #echo "warn: ${WARN_LEV}, crit: ${CRIT_LEV}" if (( ${cert_days} > ${WARN_LEV} )); then status_msg=${status_msg:+${status_msg}" "}"${cert_host} is OK" exitstatus=$(( exitstatus | ${STATE_OK} )) elif (( ${cert_days} > ${CRIT_LEV} )); then status_msg=${status_msg:+${status_msg}" "}"${cert_host} is WARNING" exitstatus=$(( exitstatus | ${STATE_WARNING} )) elif (( ${cert_days} <= ${CRIT_LEV} )); then ## && ${cert_days} >= 0 )); then status_msg=${status_msg:+${status_msg}" "}"${cert_host} is CRITICAL" exitstatus=$(( exitstatus | ${STATE_CRITICAL} )) else ## Never will reach here, i know status_msg=${status_msg:+${status_msg}" "}"${cert_host} is UNKNOWN" exitstatus=$(( exitstatus | 4 )) fi perf_msg=${perf_msg:+${perf_msg}" "}"${cert_host}: ${cert_days}" #echo "${status_msg} | ${perf_msg}" #echo "status: ${exitstatus}" }

The status and perfdata message variables are just to feed info back into Nagios. Do with these what you want ...or not.