topic Re: Automatically Renew VPN Certificates in General Topics

Automatically Renew VPN Certificates

HeikoAnkenbrand — Mon, 29 Jun 2026 18:04:41 GMT

It is a recurring challenge to regenerate and maintain all VPN certificates. To automate this process, I used the Check Point script described in sk182070. The following guide explains how to implement it and how to execute it automatically.

1) Download the Check Point script from sk182070

Download the Check Point script from sk182070 to your Management Server and create the directory /home/admin/cert/.
Copy the downloaded gateway_cert_util.tar file into this directory and extract it using tar.

# mkdir /home/admin/cert # cd /home/admin/cert --> Copy the file gateway_cert_util.tar from the SK into this <-- directory # tar xvf /home/admin/cert/gateway_cert_util.tar # chmod u+x /home/admin/cert/gateway_cert_util.sh

2) Create a cron job to renew all VPN certificates

Create a cron job (Once a month at 2:00 AM.) to execute the script once per month on the Management Server. The script will automatically renew all VPN certificates that are due to expire within the next 90 days.

# crontab -e --> Add the following entry to the crontab <-- 0 2 1 * * /home/admin/cert/gateway_cert_util.sh -renew 90 -type vpn >> /var/log/gateway_cert_util.log 2>&1

3) Add a cron job to install the required policy

If you want to automatically install the policy after the certificates have been renewed, you can create an additional cron job that installs the required policy packages (Once a month at 3:00 AM.).

If step 3 is not performed, the certificate will be installed during the next policy deployment. The previous VPN certificate will be revoked automatically after 7 days. If you do not install the policy within this period, the Security Gateway will not receive the renewed VPN certificate, which will potentially cause connectivity issues with VPN and web portals on the Security Gateway.

Make sure to replace the policy names with your own. In this example, the policy packages are "Standard" and "POLICY2". You can also install multiple policy packages automatically by adding/removing or rename additional policy names to the echo command.

# crontab -e --> Add the following entry to the crontab <-- 0 3 1 * * echo "Standard" "POLICY2" | xargs -d ' ' -n 1 -I % mgmt_cli -r true install-policy access true policy-package "%" >> /var/log/gateway_cert_util.log 2>&1

4) Check the logs and cron jobs

You can use the following commands to verify that the cron job is running and that the script has written log entries.

# cronjob -l # cat /var/log/gateway_cert_util.log

Re: Automatically Renew VPN Certificates

Steffen_Appel — Mon, 29 Jun 2026 11:39:09 GMT

You need to trigger a policy install to fully automate it.

Re: Automatically Renew VPN Certificates

HeikoAnkenbrand — Mon, 29 Jun 2026 12:20:12 GMT

Thanks @Steffen_Appel for the suggestion. I have added a second cron job for automatic policy installation.

Re: Automatically Renew VPN Certificates

Steffen_Appel — Mon, 29 Jun 2026 14:26:09 GMT

Thanks but renewed certs are revoked automatically after 7 days...

Re: Automatically Renew VPN Certificates

HeikoAnkenbrand — Mon, 29 Jun 2026 18:01:49 GMT

CUT from sk182070 >>>

The previous VPN certificate will be revoked automatically after 7 days. If you do not install the policy within this period, the Security Gateway will not receive the renewed VPN certificate, which will potentially cause connectivity issues with VPN and web portals on the Security Gateway.

<<<CUT

You must install the policy within 7 days. Otherwise, the previous VPN certificate will expire, and the VPN tunnel will no longer function.

Section 3 describes how to automate the policy installation. You should configure this step as a cron job to ensure the policy is installed regularly. Otherwise, connectivity issues may occur after 7 days when the old VPN certificate expires.