Replacing subordinate CA certificate with same DN – will it affect existing VPN/SAML certificates?

konecnyl — Tue, 04 Nov 2025 15:57:03 GMT

Hi all,

I’d like to double-check the correct procedure for handling a subordinate CA renewal in Check Point management.

Our internal PKI admin has reissued a subordinate CA (*_sub_ca) certificate with the same Distinguished Name (CN=xxx_sub_ca, O=..., C=CZ) but a new validity period (the old one is still valid until Jan 2026).

In our environment:

The subordinate CA (*_sub_ca) and the root CA are both imported under Trusted CA Servers and used for VPN certificates (SAML and SSL VPN, certificate-based authentication).
The new subordinate CA certificate cannot be imported — SmartConsole reports:
Error: Certificate with the same Distinguished Name already installed for another CA: dpp_sub_ca. Installation failed.
On Cisco ISE, both CAs can coexist, but Check Point blocks this because of the identical DN.

Now, some of our mobile clients (Capsule VPN on Android) already received new user certificates signed by the new subordinate CA, and they can’t authenticate — because the gateway doesn’t trust the new CA yet.

Questions:

Can I safely perform a Replace Certificate operation on the existing *_sub_ca object (keeping the same DN), so that both old and new client certificates remain trusted?
Will this “replace” operation preserve all existing trust relationships — e.g., issued VPN/SAML certificates that are still valid under the old CA?
Is there any best practice for temporarily supporting both old and new subordinate CA certificates (same DN) in parallel?

We are running:

Check Point R82 Management and Gateways
Capsule VPN on Android/iOS (certificate-based auth)
The old and new subordinate CA have identical DN but different serial numbers and validity ranges.

Any official confirmation or experience from the field would be appreciated before we proceed with the replacement.

Thanks,
Lukáš

Re: Replacing subordinate CA certificate with same DN – will it affect existing VPN/SAML certificate

the_rock — Tue, 04 Nov 2025 18:17:05 GMT

Hey Lukas,

This is way I understand it...

If you right-click the existing subordinate CA object and choose Replace Certificate, then:

The old CA certificate data (public key, validity, serial) will be replaced with the new one.
Any trust relationships that rely on that CA object (e.g. VPN certificate validation, SAML trust, Mobile Access portal authentication) will now trust certificates chained to the new CA’s key.
However — Check Point will no longer recognize certificates that were signed by the previous CA key (i.e., old subordinate CA), even if they’re still valid and not expired.

That’s because the CA’s public key changes, and Check Point validates certificates by chaining to a specific key pair, not just by DN.

So in short:

-New client certificates signed by the new subordinate CA → will authenticate fine.

-Old certificates signed by the old subordinate CA (same DN, old key) → will fail validation once the replacement is applied.

topic Replacing subordinate CA certificate with same DN – will it affect existing VPN/SAML certificates? in SASE and Remote Access

Replacing subordinate CA certificate with same DN – will it affect existing VPN/SAML certificates?

Re: Replacing subordinate CA certificate with same DN – will it affect existing VPN/SAML certificate