- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
I have a question.
My customer is currently using a virtual GW as VPN GW, the VPN users have to authenticate themselves with a certificate.
The customer wants to replace his GW with a new one (new release), is it possible to migrate the certificate from the old GW to the the new one?
Thank you
In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.
More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.
Why not update the existing GW to the new release ? This would keep everything...
Because he want to restart from scratch with a new one
Not possible without TAC afaik.
In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.
More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.
Hi Phone Boy,
We have 2 GWs, a 3800 (R80.40) and an 1800 (R80.20.50).
According to your comment, can I use the same certificate to connect to different GW's VPN if they use the same MGMT (Same CA)?
I have tried, but in the logs (after vpn debug ikeon), I see the below in the smart logs:
It's strange, it can see the correct DN, but shows "user DN unknown" and for the key install it shows "invalid certificate".
Any ideas please?
I also tried to create a new client certificate and enroll that one to the other GW, but still fails. (i.e. one client certificate per gw per user)
Suggest involving the TAC to troubleshoot this: https://help.checkpoint.com
Please also note that R80.20.x will be EOL in Oct-23, please refer:
https://www.checkpoint.com/support-services/support-life-cycle-policy/#embedded-security
Hey @GSallin
Not sure if it is possible, but below discussion might be helpful:
Andy
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 70 | |
| 23 | |
| 8 | |
| 5 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 3 | |
| 3 |
Tue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY