This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dehaasm
Collaborator
‎2023-05-11 02:09 AM

The Internal Certificate Authority (ICA) certificate will expire

Hi All we received this alert since a couple of days that the ICA cert of the SMS will expire in one year. We are using R81.10 at the moment.

Warning (The Internal Certificate Authority (ICA) certificate will expire on May 5 10:02:29 2024 GMT . To renew it, follow <a href = "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...">sk158096</a>)

So there seems to be a procedure to renew this cert but I am very curious on what would be the impact on the Identity awareness agent.

"The end user is still able to connect from the VPN client and/or Identity Agents by clicking “Trust and continue” / “Trust” respectively.

To avoid these warning messages in the first place, we recommend that you publish the renewed fingerprint centrally to all your VPN clients / Identity Agents right after the renewal of the Internal CA certificate.

Unfortunately, the new fingerprint is generated only when the Internal CA certificate is renewed.

Note - There is no way to push the new fingerprint before the renewal of the Internal CA certificate"

I believe the IA agents are using a different certificate which is installed on the gateway so how does that relate to the ICA cert of the SMS?

We obviously dont want to  impact any end user especially the IA agent needs to be connected all the time, could anyone please leave your comments on this?

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2023-05-11 12:25 PM

Different certificate, but it's signed by the same CA (the Internal CA).
Having said that, no previously issued certificates will be invalidated.

Not sure how this works with the Identity Agents, unfortunately.

0 Kudos
dehaasm
Collaborator
‎2023-05-12 05:14 AM
In response to PhoneBoy

I understand but we need to prevent impacting the IA agents installed on the laptops (new fingerprint popup), should I open a TAC case to investigate?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-05-12 11:29 AM
In response to dehaasm

I would recommend a TAC case on this, yes.

0 Kudos
dehaasm
Collaborator
‎2023-05-22 02:15 PM
In response to PhoneBoy

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

take 95 PRJ-44576,
PMTR-90463

this fixed it automatically

0 Kudos
starmen2000
Advisor
Advisor
‎2023-09-07 11:48 AM
In response to dehaasm

But the question is, if ICA is automatically renewed, what about VPN certificates and VPN users? Will their connection be affected after ICA auto-renew? Because I can still see the old VPN certificate in the gateway properties. 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-07 01:46 PM
In response to starmen2000

No, it should not.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-09-07 10:40 PM
In response to starmen2000

No impact for VPN users. However, VPN users connecting to the gateway where ICA was renewed, will be asked to confirm new fingerprint once ICA is renewed.

Kind regards,
Jozko Mrkvicka
0 Kudos
starmen2000
Advisor
Advisor
‎2023-09-08 01:06 AM
In response to JozkoMrkvicka

What about the Site to Site VPNs, theirs autentication works over Certificate from the same SMS? After ICA changed, what are the best practise steps to make sure the tunnels are working properly?

0 Kudos
dehaasm
Collaborator
‎2023-09-08 01:43 AM
In response to starmen2000

it is automatically renewed since take 95 take a look at release notes we did it and had no impact with identity awareness nor IPsec VPNs although we don't use VPN remote access on the Check Point

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2023-09-08 11:29 AM
In response to starmen2000

do nothing 🙂 there is nothing to be worried about S2S VPNs once ICA is renewed. Nothing to do in this area.

Kind regards,
Jozko Mrkvicka
(1)
the_rock
MVP Platinum
MVP Platinum
‎2023-09-08 11:31 AM
In response to starmen2000

As @JozkoMrkvicka said, no need to worry 🙂

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events