This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
henryck
Participant
‎2022-08-02 09:36 PM
Jump to solution

Endpoint Security certificate based VPN prompting expiry

Hello

Our EPS agent is configured to use certificate based VPN to centrally managed R81.10 gateways. Internal ADCS/ADDS enrollment policies are configured to auto renew certificates, however our endpoints are currently prompting users with a dialogue to contact the sysadmin due to an expiring certificate.

Is anyone aware of how to turn this off in the registry, or disable the prompt from policy? Attachment of the error is attached.

Thank you

Preview file
38 KB
0 Kudos
1 Solution

Accepted Solutions
AndreiR
Employee
Employee
‎2022-08-12 10:41 AM
In response to AndreiR
Jump to solution

Hello @henryck ,

In short, if your users have only one personal certificate for authentication in VPN, you may set the "certificate_auto_renewal_threshold" parameter to 0. Refer sk75221 and sk177463. But be aware of the risk that if for some reason certificate has expired (say, user didn't connect to domain controller for long time), user will not be able to connect to VPN.

This trick might not work (we are still checking this) if some user have several personal certificates installed simultaneously (with same Subject but different Serial Numbers).

 

View solution in original post

5 Replies
AndreiR
Employee
Employee
‎2022-08-03 06:34 AM
Jump to solution

Hi @henryck ,

This screen tells user that his personal certificate which is used for authentication will be expired soon.

Could you please elaborate what "ADCS / ADDS" is? 

0 Kudos
henryck
Participant
‎2022-08-03 03:34 PM
In response to AndreiR
Jump to solution

Hi Andrei

I'd like to disable it as we do not want the users to know, as it generates tickets.

Active directory certificate services are used for PKI, its a windows environment. 

Thank you

0 Kudos
AndreiR
Employee
Employee
‎2022-08-04 06:13 AM
In response to henryck
Jump to solution

@henryck ,

I'll check some details and get back to you soon.

And let me know please which exact Endpoint product and version you use.

0 Kudos
AndreiR
Employee
Employee
‎2022-08-12 10:41 AM
In response to AndreiR
Jump to solution

Hello @henryck ,

In short, if your users have only one personal certificate for authentication in VPN, you may set the "certificate_auto_renewal_threshold" parameter to 0. Refer sk75221 and sk177463. But be aware of the risk that if for some reason certificate has expired (say, user didn't connect to domain controller for long time), user will not be able to connect to VPN.

This trick might not work (we are still checking this) if some user have several personal certificates installed simultaneously (with same Subject but different Serial Numbers).

 

henryck
Participant
‎2022-08-14 04:37 PM
In response to AndreiR
Jump to solution

Thanks for getting back, I will test this out. Our endpoints should only have a single certificate so this should hopefully work to disable to prompts. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events