https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241203#M12063 <P>Hi everyone,</P><P><SPAN>Recently I have a problem with reinitializing the VPN Certificate on SMB Gateways. on a cloud managed (infinity portal) SMBs 1570, 1535, 1530, and so on with firmware R81.10.10 (996002945), and&nbsp; R81.10.15 (996003913) the VPN certificate is expired, and as it is connected to the SMP, I cannot reinitialize the internal certificate correctly. every time I tried, I got this error: "Failed to reinitialize certificates".</SPAN><BR /><SPAN>The new certificate is there, but it is not healthy, and the VPN is not working.</SPAN><BR /><SPAN>A Professional once told me that certificates on Cload-managed SMBs have to be managed only through SMP. I have done that, and the certificate is on the gateway, but not as a VPN certificate, as a cloud service provider certificate. At this point, the only way I can renew the certificate correctly is to disconnect the gateway from the SMP, renew the certificate, and reconnect it. But this shouldn't be the right way! Its not a solution, its just a workaround!<BR />Has anyone any solution?<BR />Thanks in advance.</SPAN></P> Fri, 14 Feb 2025 09:31:35 GMT Soroosh 2025-02-14T09:31:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241203#M12063 <P>Hi everyone,</P><P><SPAN>Recently I have a problem with reinitializing the VPN Certificate on SMB Gateways. on a cloud managed (infinity portal) SMBs 1570, 1535, 1530, and so on with firmware R81.10.10 (996002945), and&nbsp; R81.10.15 (996003913) the VPN certificate is expired, and as it is connected to the SMP, I cannot reinitialize the internal certificate correctly. every time I tried, I got this error: "Failed to reinitialize certificates".</SPAN><BR /><SPAN>The new certificate is there, but it is not healthy, and the VPN is not working.</SPAN><BR /><SPAN>A Professional once told me that certificates on Cload-managed SMBs have to be managed only through SMP. I have done that, and the certificate is on the gateway, but not as a VPN certificate, as a cloud service provider certificate. At this point, the only way I can renew the certificate correctly is to disconnect the gateway from the SMP, renew the certificate, and reconnect it. But this shouldn't be the right way! Its not a solution, its just a workaround!<BR />Has anyone any solution?<BR />Thanks in advance.</SPAN></P> Fri, 14 Feb 2025 09:31:35 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241203#M12063 Soroosh 2025-02-14T09:31:35Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241212#M12064 <P>That seems like a pretty serious issue. I would call TAC and get remote session going to fix it.</P> <P>Andy</P> Fri, 14 Feb 2025 14:51:32 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241212#M12064 the_rock 2025-02-14T14:51:32Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241240#M12066 <P>TAC case is probably best here: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Fri, 14 Feb 2025 20:14:01 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241240#M12066 PhoneBoy 2025-02-14T20:14:01Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241400#M12068 <P>I have a long standing TAC case open on VPN certificate problems on the SMBs.&nbsp; It's really odd that we are still seeing issues with certificates on these (or any) devices.</P><P>&nbsp;</P><P>In my case installing a .p12 certificate bundle for vpn.domain.com on the device, and renewing it had problems.&nbsp; It can be re-done (remove everything, reboot box, and re-install) but this really should NOT be required IMHO.</P><P>&nbsp;</P><P>Of course then when the certificate is actually installed and functioning, the VPN sometimes suddenly fails to see it and stops using the certificate for VPNs causing them to fail.</P><P>&nbsp;</P><P>I have had this issue on newer firmware R81.10.10, R81.10.15, and has finally reached a threshold of 30% failures with one of my clients.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 17 Feb 2025 16:42:25 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/241400#M12068 Ted_Serreyn 2025-02-17T16:42:25Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242258#M12129 <P><A href="https://support.checkpoint.com/results/sk/sk180117" target="_blank">https://support.checkpoint.com/results/sk/sk180117</A></P> Tue, 25 Feb 2025 10:56:14 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242258#M12129 G_W_Albrecht 2025-02-25T10:56:14Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242295#M12140 <P>I am aware o this SK, and it is not applicable in my case as this SK was already resolved in my environment.</P> Tue, 25 Feb 2025 15:20:49 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242295#M12140 Ted_Serreyn 2025-02-25T15:20:49Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242352#M12143 <P>Our customers issue was resolved by the following procedure:</P> <PRE><SPAN class="uiOutputText">- In Expert mode, run:<BR />pt internalCertificate</SPAN><BR /><BR /><SPAN class="uiOutputText">- Look for the Cloud Services certificate (it should have a hashed name, e.g., 34a823sda183f1g4h16.crt).<BR /><BR />- Note the ID number associated with it.<BR /><BR />- Remove the certificate from the database:<BR />sqlcmd “delete from internalCertificate where id=xxxx” (Replace xxxx with the actual ID number.)<BR /><BR />- Reinitialize certificates</SPAN></PRE> Wed, 26 Feb 2025 08:42:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242352#M12143 G_W_Albrecht 2025-02-26T08:42:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242792#M12151 <P>We have a final statement from CP TAC:</P> <P>We reviewed the internal VPN Advanced settings configuration and noticed that all gateways were set to use the last installed certificate for VPN connections.</P> <P>Since the Cloud certificate renews itself automatically, it will always be selected, ensuring that remote access continues to work even if the VPN certificate has expired.</P> <P>It's important to note that if you have already reinitialized the certificates, the VPN certificate will take priority.<BR clear="none" />Since you encountered an error during this process, it may have impacted the certificate installation, making the VPN certificate the latest installed one. This could potentially affect remote access connections.</P> <P>Given this, we strongly recommend leaving the VPN certificate expired if your gateways are connected to SMP.</P> <P>However, if you experience any VPN issues where the VPN certificate has expired and the SMP portal certificate is the last installed certificate, please let CP TAC know, and we will investigate further.</P> <P>At this time, it appears that everything is functioning as expected.</P> Mon, 03 Mar 2025 08:53:33 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Reinitialize-the-Expired-VPN-Certificate/m-p/242792#M12151 G_W_Albrecht 2025-03-03T08:53:33Z