topic Re: Automatic certificate renewal in SASE and Remote Access

Automatic certificate renewal

ErikV — Fri, 15 Oct 2021 12:30:03 GMT

Hello,

With the maximum validity period of certificates becoming shorter all the time it is a challenge for large deployments to renew everything. Is there a known solution to automate this for the remote access solutions of Check Point? And maybe even the Gaia interface as well? (some of our customers even have an external wildcard certificate on their Gaia webinterface).

Things like certbot don't apply for the VPN solution I guess, or maybe via the API?

Thanks in advance,

Regards,

Erik

Re: Automatic certificate renewal

PhoneBoy — Mon, 18 Oct 2021 07:06:40 GMT

If you're using the ICA, then in theory, the certificates should renew automatically.
For an external CA, I'm not aware of an easy way to automate this stuff as there aren't really APIs or CLI commands to do this that I'm aware of.

Re: Automatic certificate renewal

checkfreehs — Mon, 25 Oct 2021 10:32:03 GMT

There must be something for this right?

Can't believe that we still need to do this time consuming job by hand every year again.

Re: Automatic certificate renewal

ErikV — Tue, 26 Oct 2021 21:10:19 GMT

I see in API v1.8 there are certificate installation options for the platform portal and the usercheck page, but not for the mobile access portal (or I did not find it yet). Let's hope this will be added in the near future as well!

Regards,

Erik

Re: Automatic certificate renewal

Baasanjargal_Ts — Thu, 22 Sep 2022 06:31:58 GMT

Hi, Did you find any solution on this problem.?

Re: Automatic certificate renewal

Thomas_Eichelbu — Wed, 16 Nov 2022 17:54:19 GMT

Hello,

i just had the same issue now, VPN from a remote GW just stopped.

Not Valid Before: Mon Nov 15 12:55:30 2021 Local Time
Not Valid After: Wed Nov 16 12:55:30 2022 Local Time

But iam not sure if VPN certificates really get renewed automatically?
Where in a guide/SK is this written?
Anyway, i have seen this too often i will open a case and ask TAC.

i will keep u posted!

Re: Automatic certificate renewal

Soren_Kristense — Thu, 19 Jan 2023 12:27:50 GMT

I have the same question, I talked to my certificate provider, and they told my, that I should expect that the lifetime on certificate will go to 3 month or lower, so a automated way of doing it is a must.

Re: Automatic certificate renewal

PhoneBoy — Thu, 19 Jan 2023 17:56:49 GMT

I suspect we'll have a way to update this information via API in the future.
Having said that, I highly recommend approaching your Check Point SE with your precise requirements for this.

Re: Automatic certificate renewal

checkfreehs — Wed, 08 Feb 2023 14:01:38 GMT

The future is NOW.

You are rather later with this.

Re: Automatic certificate renewal

G_W_Albrecht — Wed, 08 Feb 2023 14:18:07 GMT

This sounds rather strange - 3 months or lower ? Then we better stay with the internal CA...

Re: Automatic certificate renewal

checkfreehs — Wed, 08 Feb 2023 19:57:36 GMT

https://letsencrypt.org/docs/faq/

What is the lifetime for Let’s Encrypt certificates? For how long are they valid?

Our certificates are valid for 90 days. You can read about why here.

There is no way to adjust this, there are no exceptions. We recommend automatically renewing your certificates every 60 days.

https://letsencrypt.org/2015/11/09/why-90-days.html

Why ninety-day lifetimes for certificates?

Nov 9, 2015 • Josh Aas, ISRG Executive Director

We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.

Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime. From our perspective, there are two primary advantages to such short certificate lifetimes:

They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.

For these reasons, we do not offer certificates with lifetimes longer than ninety days. We realize that our service is young, and that automation is new to many subscribers, so we chose a lifetime that allows plenty of time for manual renewal if necessary. We recommend that subscribers renew every sixty days. Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.

the future was already before 2015, almost 10 years from now.

Re: Automatic certificate renewal

AS2021 — Mon, 22 May 2023 14:16:00 GMT

Hi PhoneBoy,
I have question regarding the ICA renewal, is it any way to ICA will be automatically renewed ? eg. by installing new software/hot fix ?

Re: Automatic certificate renewal

G_W_Albrecht — Mon, 22 May 2023 14:56:56 GMT

NO - at least if you do an upgrade, not fresh install without db import 8) After Jumbo install, GAiA WebGUI may need a new exception for the self-signed cert in browser, but that is all...

See sk158096: How to renew an Internal Certificate Authority (ICA) certificate for on-purpose renewals - sk164255: SIC Certificate fails to renew automatically for issues with that!

Re: Automatic certificate renewal

PhoneBoy — Mon, 22 May 2023 23:36:06 GMT

We now do an automatic renewal of the ICA as of R81.10 JHF 95 (PRJ-44576, PMTR-90463).
I presume this will also get rolled into other JHF streams.

Re: Automatic certificate renewal

Soren_Kristense — Fri, 24 Nov 2023 15:59:36 GMT

Is there any planes to auto renew the internal certificates on the gateways they now only have a lifetime on 1 year, and are used with identity collector, vpn and more, and do a renew on +100 gateways takes time.

Re: Automatic certificate renewal

PhoneBoy — Mon, 27 Nov 2023 13:43:09 GMT

Last I heard, there was a plan to provide an automated mechanism to do this in the near future...

Re: Automatic certificate renewal

JozkoMrkvicka — Tue, 26 Mar 2024 13:45:53 GMT

Starting from R81.10, all IKE certificates are valid only for 1 year by default.

If customer has many FWs used for RA or S2S, where IKE certificate must be valid, it will help if there is some automated way to renew defaultCert automatically (like SIC, InternalCA).

Re: Automatic certificate renewal

stallwoodj — Wed, 10 Apr 2024 08:55:24 GMT

Hopefully this will get sorted. VPN certificate expiry has caused us pain.

And for one customer who uses SAML, this needs a proper certificate and so far LetsEncrypt isn't available so that's entailed a different manual process!

Re: Automatic certificate renewal

Lesley — Wed, 10 Apr 2024 09:19:51 GMT

I keep track of the expire dates in our systems so we get alerted before it expires. Just make a note in a calendar or internal system it is not that difficult. Also when the certificate will expire soon Check Point will give alert at the policy push.

So instead of waiting for Check Point to get it 'sorted' I would recommend to check your own procedures.

Re: Automatic certificate renewal

PhoneBoy — Thu, 11 Apr 2024 22:23:37 GMT

The script we are planning to make available to manage IKE certificates has an "in progress" SK for the functionality (only visible for Check Point employees).
Unfortunately, I do not know the timeline for it, though it is expected to be available as part of R82 and backported to R81.x releases via JHF.