Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Renew IPSec VPN certificates for 3rd party in large environment

We are running large scale VPN (LSV) for thousands 3rd party DAIP devices on R77.30 gw cluster. By the default server (CPGW) certificate as well the certificates for the 3rd party devices will expire after 5 years. Checkpoint SMS has been used for generating certificates. Renewing 3rd party device certificates is straight forward renew and deploy. Distribution will be long process and can't be done at once in single night. Downtime for each connection should be minimal. More than 1 hour is a disaster.

We are stuck on a question how to renew server certificate and distribute it to all devices in long period of time.

I have understood that one way could be that we have two supported server (GW) certificates to be able to do renewal in reasonable time window. But is it possible to have old and new certificate on the GW from Checkpoint SMS CA?

Any tips regarding the renewing process how it will goes are welcome.

 

0 Kudos
1 Reply
Highlighted
Admin
Admin

The main thing is whether the certificates will be signed by a trusted CA.
If you're only changing the cert and it's signed by the same CA, I don't believe anything needs to be chamged in the Check Point config as the only thing related to certs in the VPN config is the trusted CA.
Even so, I believe multiple CAs can be trusted and that config is fixed with a simple policy install.
0 Kudos