This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
TQuila
Explorer
‎2020-04-23 11:34 PM

Renew IPSec VPN certificates for 3rd party in large environment

We are running large scale VPN (LSV) for thousands 3rd party DAIP devices on R77.30 gw cluster. By the default server (CPGW) certificate as well the certificates for the 3rd party devices will expire after 5 years. Checkpoint SMS has been used for generating certificates. Renewing 3rd party device certificates is straight forward renew and deploy. Distribution will be long process and can't be done at once in single night. Downtime for each connection should be minimal. More than 1 hour is a disaster.

We are stuck on a question how to renew server certificate and distribute it to all devices in long period of time.

I have understood that one way could be that we have two supported server (GW) certificates to be able to do renewal in reasonable time window. But is it possible to have old and new certificate on the GW from Checkpoint SMS CA?

Any tips regarding the renewing process how it will goes are welcome.

 

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2020-04-25 07:34 PM

The main thing is whether the certificates will be signed by a trusted CA.
If you're only changing the cert and it's signed by the same CA, I don't believe anything needs to be chamged in the Check Point config as the only thing related to certs in the VPN config is the trusted CA.
Even so, I believe multiple CAs can be trusted and that config is fixed with a simple policy install.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events