This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HeikoAnkenbrand
MVP Diamond
MVP Diamond
8 hours ago

Automatically Renew VPN Certificates

It is a recurring challenge to regenerate and maintain all VPN certificates. To automate this process, I used the Check Point script described in sk182070. The following guide explains how to implement it and how to execute it automatically.


     1)    Download the Check Point script from sk182070


Download the Check Point script from sk182070 to your Management Server and create the directory /home/admin/cert/.
Copy the downloaded gateway_cert_util.tar file into this directory and extract it using tar.

# mkdir /home/admin/cert
# cd /home/admin/cert
--> Copy the file gateway_cert_util.tar from the SK into this <-- directory
# tar xvf /home/admin/cert/gateway_cert_util.tar
# chmod u+x /home/admin/cert/gateway_cert_util.sh

 


     2)     Create a cron job to renew all VPN certificates


Create a cron job (Once a month at 2:00 AM.) to execute the script once per month on the Management Server. The script will automatically renew all VPN certificates that are due to expire within the next 90 days.

# crontab -e
--> Add the following entry to the crontab <--
0 2 1 * * /home/admin/cert/gateway_cert_util.sh -renew 90 -type vpn >> /var/log/gateway_cert_util.log 2>&1

 

 
     3)     Add a cron job to install the required policy


If you want to automatically install the policy after the certificates have been renewed, you can create an additional cron job that installs the required policy packages (Once a month at 3:00 AM.).

If step 3 is not performed, the certificate will be installed during the next policy deployment. The previous VPN certificate will be revoked automatically after 7 days. If you do not install the policy within this period, the Security Gateway will not receive the renewed VPN certificate, which will potentially cause connectivity issues with VPN and web portals on the Security Gateway.

Make sure to replace the policy names with your own. In this example, the policy packages are "Standard" and "POLICY2". You can also install multiple policy packages automatically by adding/removing or rename additional policy names to the echo command.

# crontab -e
  --> Add the following entry to the crontab <--
0 3 1 * * echo "Standard" "POLICY2" | xargs -d ' ' -n 1 -I % mgmt_cli -r true install-policy access true policy-package "%" >> /var/log/gateway_cert_util.log 2>&1

 


     4)     Check the logs and cron jobs


You can use the following commands to verify that the cron job is running and that the script has written log entries.

# cronjob -l
# cat /var/log/gateway_cert_util.log




➜ CCSM Elite, CCME, CCTE, CCVS ➜ www.checkpoint.tips
4 Replies
Steffen_Appel
Advisor
7 hours ago

You need to trigger a policy install to fully automate it.

HeikoAnkenbrand
MVP Diamond
MVP Diamond
6 hours ago
In response to Steffen_Appel

Thanks @Steffen_Appel for the suggestion. I have added a second cron job for automatic policy installation.

➜ CCSM Elite, CCME, CCTE, CCVS ➜ www.checkpoint.tips
Steffen_Appel
Advisor
4 hours ago
In response to HeikoAnkenbrand

Thanks but renewed certs are revoked automatically after 7 days...

HeikoAnkenbrand
MVP Diamond
MVP Diamond
29m ago
In response to Steffen_Appel

CUT from sk182070 >>>

The previous VPN certificate will be revoked automatically after 7 days. If you do not install the policy within this period, the Security Gateway will not receive the renewed VPN certificate, which will potentially cause connectivity issues with VPN and web portals on the Security Gateway.

<<<CUT

You must install the policy within 7 days. Otherwise, the previous VPN certificate will expire, and the VPN tunnel will no longer function.

Section 3 describes how to automate the policy installation. You should configure this step as a cron job to ensure the policy is installed regularly. Otherwise, connectivity issues may occur after 7 days when the old VPN certificate expires.

➜ CCSM Elite, CCME, CCTE, CCVS ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events