Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Norbert_Giczi
Participant

VPN certificate for a management object?

Hi All,

We are trying to determine what VPN certificates will expire in the near future in our customer's environment (running version R77.30). Please review the following example output from one of their CMA:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
3 certs found.
Subject = CN=BG-domain_Management_Server VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 37172   DP = 1
Not_Before: Sun Jan 26 14:08:43 2014   Not_After: Sat Jan 26 14:08:43 2019
Subject = CN=mgmt-fake VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 82103   DP = 1
Not_Before: Sun Jan 26 13:57:52 2014   Not_After: Sat Jan 26 13:57:52 2019
Subject = CN=bg-gw-utm270 VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 93179   DP = 1
Not_Before: Sat Jan 12 21:55:45 2019   Not_After: Fri Jan 12 21:55:45 2024

Note: "bg-gw-utm270" is their one and only Security Gateway in their CMA in question.

The real question is why "BG-domain_Management_Server" and "mgmt-fake" have VPN certificates? They are both Check Point management type objects, therefore at first sight, this look very odd why they have such certificate. Can you help us with a good explanation?

In addition, how exactly those certificates can be renewed?

Thanks in advance.

1 Reply
PhoneBoy
Admin
Admin

Management servers are also endpoints for Certificate Revocation Lists.

My guess is those certificates are relevant for that.

These certificates can be renewed manually.

You will get warnings in SmartDashboard when the certificates are about to expire (60 days before).

Upon installing Security Policy, Security Management server warns about expiring Security Gateway ce... 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events