This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Gaurav_Pandya
Advisor
‎2020-02-10 08:05 AM

Renew external (3rd party) certificate for IPSEC VPN

Hi,

I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that,

In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.

Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation.

Is this the method I need to follow?

Can someone please share step-by-step procedure to renew external certificate for VPN?

 

 

0 Kudos
8 Replies
PhoneBoy
Admin
Admin
‎2020-02-11 05:55 PM

You’re talking about IPSEC certificates in one hand but TLS certificates on the other.
Which is it?
In any case, I suspect you will follow the same process you followed to install the third party certificate to begin with.
That may mean recreating the OPSEC CA key (if that changed).
Gaurav_Pandya
Advisor
‎2020-02-21 01:36 AM
In response to PhoneBoy

Hi PhoneBoy,

Thanks for reply.

I am talking about below certificate.

Snap.JPG

Trusted CA is already generated for this certificate but now it is about to expire so I have to generate new CA? Can you please share steps to renew this certificate?

Norbert_Bohusch
Advisor
‎2020-02-21 06:38 AM
In response to Gaurav_Pandya

You need to remove existing cert, add/create a new one.
By adding a new one you get a CSR to view. Copy this and get it signed by your CA (digicert). Then you complete the CSR with the cert.
Gaurav_Pandya
Advisor
‎2020-02-21 06:44 AM
In response to Norbert_Bohusch

ok. So when I remove cert, that wildcard FQDN will be impacted? 

 

0 Kudos
PBC_Cyber
Contributor
‎2020-02-21 09:06 AM
In response to Gaurav_Pandya

Delete the old one and publish the changes but don't do a policy push.  After that you can do the CSR and request/install the new cert with little or no downtime. 

 

 

Daniel_Westlund
Collaborator
Collaborator
‎2020-02-24 02:08 PM
In response to PBC_Cyber

So we need a no change window for them?  Customer expects it to take 2-3 days to get it signed, so no change window for that long?  And if they have to make a change, we roll back to a migrate export we'll take before the change?

Douglas_Rich
Collaborator
Collaborator
‎2020-09-18 12:42 PM
In response to Daniel_Westlund

I am too wondering if there is a lengthy time between when the CSR is generated and the Cert is installed if a CRL is checked and the tunnels goes down because the old cert is revoked?

0 Kudos
dwilliams-dmu
Participant
‎2022-01-14 07:20 AM

This whole thread is full of really great questions.  Questions that I have not seen any good answers to from Checkpoint anywhere. The fact that you can't generate a CSR without a CA is beyond bizarre to me and I can't think of any good reason for that.  The additional limitations to having more than one certificate to a "CA object" and not being able to have two identical cert chains referenced in different "CAs objects" make it impossible to use two certificates from the same CA using the same cert chain.

Certificate changes are a routine operational task and it should be as simple as generate a CSR (no need for CA cert chain ahead of time) get the CSR signed by 3rd party, upload signed certificate bundle to complete the installation, and then change the reference to the certificate used for whichever service needs a cert change.  None of that should be disruptive in any way and when the certificate reference is changed the new public key and certificate get provided for any connections established after that point.  Fallback is as simple as changing the reference back to the old certificate.  

I am blown away at how complicated such a simple task is for Checkpoint to pull off.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events