This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ProxyOps
Contributor
‎2025-04-15 12:36 AM
Jump to solution

ACME Support in Check Point products | SSL/TLS certificate lifespans reduced to 47 days by 2029

Hello Checkmates!

As you may have already heared the CA/Browser Forum has voted to significantly reduce the lifespan of SSL/TLS certificates over the next 4 years, with a final lifespan of just 47 days starting in 2029.

We are currently replacing our certificates via cpopenssl yearly by hand but this is no longer feasible when the lifespans willl be reduced every year now until 2029.

Are there already out of the box solutions in the Check Point product suite for protocols like ACME to support auto renewal of certificates in Check Point products?

Best regards


(1)
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-04-15 09:40 AM
Jump to solution

I know we have REST API support for changing certificates used for HTTPS Inspection as well as some of the certificates on the gateway itself in R82.
That's not ACME support, of course.
I recommend engaging with your local Check Point office with your precise requirements.

View solution in original post

Alex-
MVP Silver
MVP Silver
‎2025-04-15 10:17 AM
Jump to solution

Read about this today too, the changes will be phased as follows:

  • March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.
  • March 15, 2027: That lifespan will go down to 100 days.
  • March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2025-04-15 09:40 AM
Jump to solution

I know we have REST API support for changing certificates used for HTTPS Inspection as well as some of the certificates on the gateway itself in R82.
That's not ACME support, of course.
I recommend engaging with your local Check Point office with your precise requirements.

Alex-
MVP Silver
MVP Silver
‎2025-04-15 10:17 AM
Jump to solution

Read about this today too, the changes will be phased as follows:

  • March 15, 2026: Newly issued certificates, including their Domain Control Validation, aka DCV, will have to be renewed every 200 days.
  • March 15, 2027: That lifespan will go down to 100 days.
  • March 15, 2029: New SSL/TLS certificates will be limited to 47 days, and 10 days for DCVs.
the_rock
MVP Diamond
MVP Diamond
‎2025-04-15 04:12 PM
Jump to solution

Read about it yesterday, was having hard time believing it was true, but it definitely is.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Nüüül
Advisor
Advisor
‎2025-04-16 12:13 AM
Jump to solution

i second this. would be great to configure multiportal deamon to present ACME certificates and renew them automatically.  something completely different from https inspection

 

Great would be  being able to have an option on several portals independent from each other. (perhaps per hostname, instead port) and in smartconsole / mgmt api - like saml-vpn, sslvpn, usercheck and so on.

 

 

GHaider
Contributor
‎2025-11-27 02:02 AM
In response to Nüüül
Jump to solution

i also have taken this to checkpoint support, and they said i should submit a RFE via checkpoint office...

...funny thing is that they don't seem to know there own product, because with R82 API you can already do all the needed certificate settings...

see https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/set-simple-cluster~v2.0.1

for example:

add via api:
mgmt_cli --root true set simple-cluster name "CLUSTER" vpn-settings.certificates.add.name "testcertdeleteme" vpn-settings.certificates.add.certificate-authority "HARICA_TLS_RSA_Root_CA_2021" vpn-settings.certificates.add.enrollment.enrollment-settings.distinguished-name "CN=commonname.com,O=Org,ST=Vienna,C=AT" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.1.name-type "fqdn" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.1.value "3.commonname.com" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.2.name-type "fqdn" vpn-settings.certificates.add.enrollment.enrollment-settings.alternate-names.2.value "firewall.commonname.com"
remove via api:
mgmt_cli --root true set simple-cluster name "CLUSTER" vpn-settings.certificates.remove "cername_exp20251113" ignore-warnings "true"

usercheck portal would be:

mgmt_cli --root true set simple-cluster name "CLUSTER" usercheck-portal-settings.certificate-settings

so if you have the certificate via acme, you can import it via api, at least on R82

(1)
Nüüül
Advisor
Advisor
‎2026-01-15 07:31 AM
In response to GHaider
Jump to solution

Thanks mate! will have a look at it shortly

0 Kudos
ProxyOps
Contributor
a week ago
Jump to solution

Any news from Check Point regarding the damocles sword with certificate lifespans?
Our certificates from Web SmartConsole now need to be replaced every 7 months and I really hate the idea to do this manual reneweal process every 47 days in 2029. 

Is there any strategy / recommendation from Check Point or is every check point customer on its own?

0 Kudos
genisis__
MVP Silver
MVP Silver
a week ago
In response to ProxyOps
Jump to solution

I think its important to note that this challenge is faced by all vendors, so it would logically make sense that all vendors need to update there systems to have a user friendly mechanism to auto renew certificates either via a public CA or Private CA.
From a Checkpoint prospective, there should be a solution that addresses this via SmartConsole and also at GAIA WEBUI level as it is feasible to have a device level certificate.

I'm not sure why a RFE would be needed considering the industry level impact here.

The question here also is if using certificates becomes impractical, then what are the alternatives to safeguard sites and identities.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events