Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Renew external (3rd party) certificate for IPSEC VPN

Hi,

I want to renew external certificate in IPSEC VPN TAB as it will expire soon. I have gone thru some docs and came to know that,

In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.

Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates. then generate CSR and give it to vendor for certificate generation.

Is this the method I need to follow?

Can someone please share step-by-step procedure to renew external certificate for VPN?

 

 

0 Kudos
7 Replies
Highlighted
Admin
Admin

You’re talking about IPSEC certificates in one hand but TLS certificates on the other.
Which is it?
In any case, I suspect you will follow the same process you followed to install the third party certificate to begin with.
That may mean recreating the OPSEC CA key (if that changed).
0 Kudos
Highlighted

Hi PhoneBoy,

Thanks for reply.

I am talking about below certificate.

Snap.JPG

Trusted CA is already generated for this certificate but now it is about to expire so I have to generate new CA? Can you please share steps to renew this certificate?

0 Kudos
Highlighted

You need to remove existing cert, add/create a new one.
By adding a new one you get a CSR to view. Copy this and get it signed by your CA (digicert). Then you complete the CSR with the cert.
0 Kudos
Highlighted

ok. So when I remove cert, that wildcard FQDN will be impacted? 

 

0 Kudos
Highlighted
Nickel

Delete the old one and publish the changes but don't do a policy push.  After that you can do the CSR and request/install the new cert with little or no downtime. 

 

 

0 Kudos
Highlighted

So we need a no change window for them?  Customer expects it to take 2-3 days to get it signed, so no change window for that long?  And if they have to make a change, we roll back to a migrate export we'll take before the change?

0 Kudos
Highlighted

I am too wondering if there is a lengthy time between when the CSR is generated and the Cert is installed if a CRL is checked and the tunnels goes down because the old cert is revoked?

0 Kudos