Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator

The Internal Certificate Authority (ICA) certificate will expire

Hi All we received this alert since a couple of days that the ICA cert of the SMS will expire in one year. We are using R81.10 at the moment.

Warning (The Internal Certificate Authority (ICA) certificate will expire on May 5 10:02:29 2024 GMT . To renew it, follow <a href = "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...">sk158096</a>)

So there seems to be a procedure to renew this cert but I am very curious on what would be the impact on the Identity awareness agent.

"The end user is still able to connect from the VPN client and/or Identity Agents by clicking “Trust and continue” / “Trust” respectively.

To avoid these warning messages in the first place, we recommend that you publish the renewed fingerprint centrally to all your VPN clients / Identity Agents right after the renewal of the Internal CA certificate.

Unfortunately, the new fingerprint is generated only when the Internal CA certificate is renewed.

Note - There is no way to push the new fingerprint before the renewal of the Internal CA certificate"

I believe the IA agents are using a different certificate which is installed on the gateway so how does that relate to the ICA cert of the SMS?

We obviously dont want to  impact any end user especially the IA agent needs to be connected all the time, could anyone please leave your comments on this?

 

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Different certificate, but it's signed by the same CA (the Internal CA).
Having said that, no previously issued certificates will be invalidated.

Not sure how this works with the Identity Agents, unfortunately.

0 Kudos
dehaasm
Collaborator

I understand but we need to prevent impacting the IA agents installed on the laptops (new fingerprint popup), should I open a TAC case to investigate?

0 Kudos
PhoneBoy
Admin
Admin

I would recommend a TAC case on this, yes.

0 Kudos
dehaasm
Collaborator

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

take 95 PRJ-44576,
PMTR-90463

this fixed it automatically

0 Kudos
starmen2000
Collaborator
Collaborator

But the question is, if ICA is automatically renewed, what about VPN certificates and VPN users? Will their connection be affected after ICA auto-renew? Because I can still see the old VPN certificate in the gateway properties. 

0 Kudos
PhoneBoy
Admin
Admin

No, it should not.

0 Kudos
JozkoMrkvicka
Authority
Authority

No impact for VPN users. However, VPN users connecting to the gateway where ICA was renewed, will be asked to confirm new fingerprint once ICA is renewed.

Kind regards,
Jozko Mrkvicka
0 Kudos
starmen2000
Collaborator
Collaborator

What about the Site to Site VPNs, theirs autentication works over Certificate from the same SMS? After ICA changed, what are the best practise steps to make sure the tunnels are working properly?

0 Kudos
dehaasm
Collaborator

it is automatically renewed since take 95 take a look at release notes we did it and had no impact with identity awareness nor IPsec VPNs although we don't use VPN remote access on the Check Point

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

0 Kudos
JozkoMrkvicka
Authority
Authority

do nothing 🙂 there is nothing to be worried about S2S VPNs once ICA is renewed. Nothing to do in this area.

Kind regards,
Jozko Mrkvicka
(1)
the_rock
Legend
Legend

As @JozkoMrkvicka said, no need to worry 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events