We did find in the documentation where the SIC certs renew at 75% validity. The problem we have is I guess you have to push policy for that to take upon the auto-renewal. We have remote static un-manned sites where the firewalls are pretty much set it and forget it. So we've had issues in the past and try to track those just to make sure it doesn't happen. Of course, all manual.

My team has scripted pushes of basically every policy to the corresponding firewall. The idea is we don't want some change lurking for months to bite us just as we need to push policy to deal with some emergency.

It should be possible to script something with 'cpca_client lscert -kind SIC -stat Valid'. Dealing with the multi-line output would probably be the most irritating part.

Yep.  Here's what I did:

# I use Nagios
. /usr/lib/nagios/plugins/utils.sh


check_ike_certs() {
  cert_block=""
  cert_host=""
  cert_time=""
  cert_host_regex="^Subject = CN=(.*) VPN Certificate"
  cert_time_regex="Not_After: (.*)"
  declare -A cert_list  # associative array of "cert_host = cert_time"
  declare -a cert_host_list  # to hold sorted list of cert hosts

  while read cert_block; do
    if [[ ${cert_block} =~ ^$ ]]; then
      if [ -n "${cert_host}" -a -n "${cert_time}" ]; then
        cert_list[${cert_host}]="${cert_time}"
      fi

      cert_block=""
      cert_host=""
      cert_time=""
    else
      if [[ ${cert_block} =~ ${cert_host_regex} ]]; then
        cert_host=${BASH_REMATCH[1]}
      elif [[ ${cert_block} =~ ${cert_time_regex} ]]; then
        cert_time=${BASH_REMATCH[1]}
      else
        continue
      fi
    fi
  done <<<$(cpca_client lscert -stat Valid -kind IKE;echo " "; echo) #Add artificial blank line as EOF for the while loop

  # sort the associate array keys to a natural list
  read -a cert_host_list <<<$( for c_host in "${!cert_list[@]}"; do
    echo $c_host
  done |sort -f |xargs)

  for c_host in "${cert_host_list[@]}"; do
    check_cert_time $c_host "${cert_list[$c_host]}"
  done

  # check exit status against bitwise code and exit accordingly
  if (( ${exitstatus} )); then
    echo "${status_msg} | ${perf_msg}"

    if (( ${exitstatus} & 4 )); then
      exitstatus="UNKNOWN"
    elif (( ${exitstatus} & 2 )); then
      exitstatus="CRITICAL"
    elif (( ${exitstatus} & 1 )); then
      exitstatus="WARNING"
    fi
  else
    echo "IKE certificates are OK | ${perf_msg}"
    exitstatus="OK"
  fi

}

# deal with $exitstatus however you want.

You probably need that check_cert_time() function, too:

check_cert_time() {
  local cert_host=$1
  local cert_time=$2

  #echo "--${cert_host}--, --${cert_time}--"
  cert_tm=$(date +"%s" -d "${cert_time}" 2>/dev/null)

  if (( $? )); then
    exitstatus=${STATE_UNKNOWN}
    status_msg="Error processing certificate status (cert_host: ${cert_host})"

    echo ${status_msg}
    exit ${exitstatus}
  fi

  #echo "date now: ${DATE_NOW}"
  cert_days=$(( (${cert_tm} - ${DATE_NOW}) / 86400 ))

  #echo "cert_days: ${cert_days}"
  #echo "warn: ${WARN_LEV}, crit: ${CRIT_LEV}"

  if (( ${cert_days} > ${WARN_LEV} )); then
    status_msg=${status_msg:+${status_msg}"<br>"}"${cert_host} is OK"
    exitstatus=$(( exitstatus | ${STATE_OK} ))
  elif (( ${cert_days} > ${CRIT_LEV} )); then
    status_msg=${status_msg:+${status_msg}"<br>"}"${cert_host} is WARNING"
    exitstatus=$(( exitstatus | ${STATE_WARNING} ))
  elif (( ${cert_days} <= ${CRIT_LEV} )); then ## && ${cert_days} >= 0 )); then
    status_msg=${status_msg:+${status_msg}"<br>"}"${cert_host} is CRITICAL"
    exitstatus=$(( exitstatus | ${STATE_CRITICAL} ))
  else  ## Never will reach here, i know
    status_msg=${status_msg:+${status_msg}"<br>"}"${cert_host} is UNKNOWN"
    exitstatus=$(( exitstatus | 4 ))
  fi

  perf_msg=${perf_msg:+${perf_msg}"<br>"}"${cert_host}: ${cert_days}"

  #echo "${status_msg} | ${perf_msg}"
  #echo "status: ${exitstatus}"
}

The status and perfdata message variables are just to feed info back into Nagios.  Do with these what you want ...or not.

Unless I missed something, VPN certs don't auto-renew. On systems without VPN this is done by enabling IPSEC VPN, renew it, then disabling the blade, publish and install, on systems which care about them this is done by renewing it manually in the blade section as well.

There's an SK about this, also referencing another relatively recent tool to renew: https://support.checkpoint.com/results/sk/sk178304

As there's no apparent added value to keep an expired certificate, I agree they should renew themselves by default and be distributed by the management station.