Create a Post
Showing results for 
Search instead for 
Did you mean: 

Renew external (3rd party) certificate for IPSEC VPN


I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that,

In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.

Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation.

Is this the method I need to follow?

Can someone please share step-by-step procedure to renew external certificate for VPN?



0 Kudos
8 Replies

You’re talking about IPSEC certificates in one hand but TLS certificates on the other.
Which is it?
In any case, I suspect you will follow the same process you followed to install the third party certificate to begin with.
That may mean recreating the OPSEC CA key (if that changed).

Hi PhoneBoy,

Thanks for reply.

I am talking about below certificate.


Trusted CA is already generated for this certificate but now it is about to expire so I have to generate new CA? Can you please share steps to renew this certificate?


You need to remove existing cert, add/create a new one.
By adding a new one you get a CSR to view. Copy this and get it signed by your CA (digicert). Then you complete the CSR with the cert.

ok. So when I remove cert, that wildcard FQDN will be impacted? 


0 Kudos

Delete the old one and publish the changes but don't do a policy push.  After that you can do the CSR and request/install the new cert with little or no downtime. 




So we need a no change window for them?  Customer expects it to take 2-3 days to get it signed, so no change window for that long?  And if they have to make a change, we roll back to a migrate export we'll take before the change?


I am too wondering if there is a lengthy time between when the CSR is generated and the Cert is installed if a CRL is checked and the tunnels goes down because the old cert is revoked?

0 Kudos

This whole thread is full of really great questions.  Questions that I have not seen any good answers to from Checkpoint anywhere. The fact that you can't generate a CSR without a CA is beyond bizarre to me and I can't think of any good reason for that.  The additional limitations to having more than one certificate to a "CA object" and not being able to have two identical cert chains referenced in different "CAs objects" make it impossible to use two certificates from the same CA using the same cert chain.

Certificate changes are a routine operational task and it should be as simple as generate a CSR (no need for CA cert chain ahead of time) get the CSR signed by 3rd party, upload signed certificate bundle to complete the installation, and then change the reference to the certificate used for whichever service needs a cert change.  None of that should be disruptive in any way and when the certificate reference is changed the new public key and certificate get provided for any connections established after that point.  Fallback is as simple as changing the reference back to the old certificate.  

I am blown away at how complicated such a simple task is for Checkpoint to pull off.


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events