The Internal Certificate Authority (ICA) certifica...

dehaasm · ‎2023-05-11

Hi All we received this alert since a couple of days that the ICA cert of the SMS will expire in one year. We are using R81.10 at the moment.

Warning (The Internal Certificate Authority (ICA) certificate will expire on May 5 10:02:29 2024 GMT . To renew it, follow <a href = "https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...">sk158096</a>)

So there seems to be a procedure to renew this cert but I am very curious on what would be the impact on the Identity awareness agent.

"The end user is still able to connect from the VPN client and/or Identity Agents by clicking “Trust and continue” / “Trust” respectively.

To avoid these warning messages in the first place, we recommend that you publish the renewed fingerprint centrally to all your VPN clients / Identity Agents right after the renewal of the Internal CA certificate.

Unfortunately, the new fingerprint is generated only when the Internal CA certificate is renewed.

Note - There is no way to push the new fingerprint before the renewal of the Internal CA certificate"

I believe the IA agents are using a different certificate which is installed on the gateway so how does that relate to the ICA cert of the SMS?

We obviously dont want to impact any end user especially the IA agent needs to be connected all the time, could anyone please leave your comments on this?

PhoneBoy · ‎2023-05-11

Different certificate, but it's signed by the same CA (the Internal CA).
Having said that, no previously issued certificates will be invalidated.

Not sure how this works with the Identity Agents, unfortunately.

dehaasm · ‎2023-05-12

I understand but we need to prevent impacting the IA agents installed on the laptops (new fingerprint popup), should I open a TAC case to investigate?

PhoneBoy · ‎2023-05-12

I would recommend a TAC case on this, yes.

dehaasm · ‎2023-05-22

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

take 95 PRJ-44576,
PMTR-90463

this fixed it automatically

starmen2000 · ‎2023-09-07

But the question is, if ICA is automatically renewed, what about VPN certificates and VPN users? Will their connection be affected after ICA auto-renew? Because I can still see the old VPN certificate in the gateway properties.

PhoneBoy · ‎2023-09-07

No, it should not.

JozkoMrkvicka · ‎2023-09-07

No impact for VPN users. However, VPN users connecting to the gateway where ICA was renewed, will be asked to confirm new fingerprint once ICA is renewed.

Kind regards,
Jozko Mrkvicka

starmen2000 · ‎2023-09-08

What about the Site to Site VPNs, theirs autentication works over Certificate from the same SMS? After ICA changed, what are the best practise steps to make sure the tunnels are working properly?

dehaasm · ‎2023-09-08

it is automatically renewed since take 95 take a look at release notes we did it and had no impact with identity awareness nor IPsec VPNs although we don't use VPN remote access on the Check Point

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

JozkoMrkvicka · ‎2023-09-08

do nothing 🙂 there is nothing to be worried about S2S VPNs once ICA is renewed. Nothing to do in this area.

Kind regards,
Jozko Mrkvicka

the_rock · ‎2023-09-08

As @JozkoMrkvicka said, no need to worry 🙂

Are you a member of CheckMates?

The Internal Certificate Authority (ICA) certificate will expire