This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ProxyOps
Contributor
‎2025-04-15 12:36 AM
Jump to solution

ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

Hello Checkmates!

As you may have already heared the CA/Browser Forum has voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029.

We are currently replacing our certificates via cpopenssl yearly by hand but this is no longer feasible when the lifespans willl be reduced every year now until 2029.

Are there already out of the box solutions in the Check Point product suite for protocols like ACME to support auto renewal of certificates in Check Point products?

Best regards


(1)
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-04-15 09:40 AM
Jump to solution

I know we have REST API support for changing certificates used for HTTPS Inspection as well as some of the certificates on the gateway itself in R82.
That's not ACME support, of course.
I recommend engaging with your local Check Point office with your precise requirements.

View solution in original post

Alex-
MVP Silver
MVP Silver
‎2025-04-15 10:17 AM
Jump to solution

Read about this today too, the changes will be phased as follows:

  • March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.
  • March 15, 2027: That lifespan will go down to 100 days.
  • March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2025-04-15 09:40 AM
Jump to solution

I know we have REST API support for changing certificates used for HTTPS Inspection as well as some of the certificates on the gateway itself in R82.
That's not ACME support, of course.
I recommend engaging with your local Check Point office with your precise requirements.

Alex-
MVP Silver
MVP Silver
‎2025-04-15 10:17 AM
Jump to solution

Read about this today too, the changes will be phased as follows:

  • March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.
  • March 15, 2027: That lifespan will go down to 100 days.
  • March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.
the_rock
MVP Platinum
MVP Platinum
‎2025-04-15 04:12 PM
Jump to solution

Read about it yesterday, was having hard time believing it was true, but it definitely is.

Andy

Best,
Andy
0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-16 12:13 AM
Jump to solution

i second this. would be great to configure multiportal deamon to present ACME certificates and renew them automatically.  something completely different from https inspection

 

Great would be  being able to have an option on several portals independent from each other. (perhaps per hostname, instead port) and in smartconsole / mgmt api - like saml-vpn, sslvpn, usercheck and so on.

 

 

GHaider
Contributor
a week ago
In response to Nüüül
Jump to solution

i also have taken this to checkpoint support, and they said i should submit a RFE via checkpoint office...

...funny thing is that they don't seem to know there own product, because with R82 API you can already do all the needed certificate settings...

see https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/set-simple-cluster~v2.0.1

for example:

add via api:
mgmt_cli --root true set simple-cluster name "CLUSTER" vpn-settings.certificates.add.name "testcertdeleteme" vpn-settings.certificates.add.certificate-authority "HARICA_TLS_RSA_Root_CA_2021" vpn-settings.certificates.add.enrollment.enrollment-settings.distinguished-name "CN=commonname.com,O=Org,ST=Vienna,C=AT" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.1.name-type "fqdn" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.1.value "3.commonname.com" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.2.name-type "fqdn" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.2.value "firewall.commonname.com"
remove via api:
mgmt_cli --root true set simple-cluster name "CLUSTER" vpn-settings.certificates.remove "cername_exp20251113" ignore-warnings "true"

usercheck portal would be:

mgmt_cli --root true set simple-cluster name "CLUSTER" usercheck-portal-settings.certificate-settings

so if you have the certificate via acme, you can import it via api, at least on R82

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events