Hi All,

We are trying to determine what VPN certificates will expire in the near future in our customer's environment (running version R77.30). Please review the following example output from one of their CMA:

# cpca_client lscert -stat Valid -kind IKE

Operation succeeded. rc=0.

3 certs found.

Subject = CN=BG-domain_Management_Server VPN Certificate,O=BG-domain..kstxe3

Status = Valid   Kind = IKE   Serial = 37172   DP = 1

Not_Before: Sun Jan 26 14:08:43 2014   Not_After: Sat Jan 26 14:08:43 2019

Subject = CN=mgmt-fake VPN Certificate,O=BG-domain..kstxe3

Status = Valid   Kind = IKE   Serial = 82103   DP = 1

Not_Before: Sun Jan 26 13:57:52 2014   Not_After: Sat Jan 26 13:57:52 2019

Subject = CN=bg-gw-utm270 VPN Certificate,O=BG-domain..kstxe3

Status = Valid   Kind = IKE   Serial = 93179   DP = 1

Not_Before: Sat Jan 12 21:55:45 2019   Not_After: Fri Jan 12 21:55:45 2024

Note: "bg-gw-utm270" is their one and only Security Gateway in their CMA in question.

The real question is why "BG-domain_Management_Server" and "mgmt-fake" have VPN certificates? They are both Check Point management type objects, therefore at first sight, this look very odd why they have such certificate. Can you help us with a good explanation?

In addition, how exactly those certificates can be renewed?

Thanks in advance.