This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jeremy_Vickers
Explorer
‎2020-06-23 12:26 PM

letsencrypt.org acme protocol - inbound ssl inspection

I'm wondering if it is possible to automate the renewal and update of certificates that are within an inbound ssl inspection ruleset. It would be nice to take advantage of letsencrypt.org for web certificates. There are some bash scripts available to use but i don't know how to programatically update a ssl certificate on the checkpoint firewalls. 

 

Please advise.

 

 

13 Replies
PhoneBoy
Admin
Admin
‎2020-06-28 11:49 PM

We have no formal integration with Let's Encrypt.
Versions of management prior to R80.40 do not have APIs for HTTPS Inspection policy, either.
Might be possible to script/API this with R80.40 management, but haven't tried personally.
bmartins-EUDA
Contributor
‎2022-01-21 01:48 AM
In response to PhoneBoy

Have you tried it already? I was also interested on this.

0 Kudos
Stefan_Roesch
Employee
Employee
‎2022-10-04 03:55 AM
In response to bmartins-EUDA

Hello,
any new experience with Let's encrypt and automatic cert replacement?
Thanks!

BR Stefan

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-04 07:17 AM
In response to Stefan_Roesch

I am not familiar with any specific plans to integrate with Let’s Encrypt.
Customers should engage with their local Check Point office with this requirement.
Employees should engage internally with Solution Center.

0 Kudos
WE
Explorer
‎2023-01-16 06:12 AM

Were you ever successful? I tried to use LE for the VPN certificate, and the CP appliance fails because the name on the certificate contains an apostrophe (i.e., Let's Encrypt). Because of that (and CP not fixing the issue), I can't use LE for its certs.

0 Kudos
_Val_
Admin
Admin
‎2023-01-16 06:34 AM
In response to WE

If you need LE certificates to be supported, please raise an RFE with your local Check Point team. 

0 Kudos
WE
Explorer
‎2023-01-16 06:43 AM
In response to _Val_

See SR#6-0003485196; the initial issue was not specific to LE, but researching the problem unearthed the problem. I did request that they escalate that portion; I do not know how to see any status of that request.

Thanks.

0 Kudos
_Val_
Admin
Admin
‎2023-01-16 07:16 AM
In response to WE

Does this request belong to you or someone else?

0 Kudos
_Val_
Admin
Admin
‎2023-01-16 07:19 AM
In response to WE

From what I see, that SR is unrelated to the subject in hands.

0 Kudos
WE
Explorer
‎2023-01-16 07:24 AM
In response to _Val_

Yes, which I said in my first reply to you, "the initial issue was not specific to LE". It was during the support discussion that we attempted other certificates, at which point the deficiency (apostrophes in certificate names) was identified.

Since it seems that you can see the conversation, can you confirm that my request to escalate is in some form of a "please fix/implement" queue? If not, what words need to be said to make that happen?

0 Kudos
_Val_
Admin
Admin
‎2023-01-16 08:53 AM
In response to WE

The SR above is closed. AFAIK, Let's Encrypt certificates are not supported, but if you need an official confirmation of that, please open a TAC request and ask.

If you need Check Point to support them, please open and RFE with your local Check Point representative, as I mentioned already.

0 Kudos
aheilmaier2
Participant
‎2024-10-25 06:29 AM
In response to _Val_

are there any API support to exchange ipsec/RAS certificates ?

I only have the Option via UI, with R82 there came some new APIs, but only for https inspection nothing for ipsec/ras.
Any scripting I do not know on how to start, all gets done via CP Manager GUI.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-25 01:13 PM
In response to aheilmaier2

APIs for this are present in R82...in the relevant gateway/cluster object
https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-gateway~v2%20 
https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-cluster~v2%20 

image.png

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events