This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Norbert_Giczi
Participant
‎2019-01-16 01:02 AM

VPN certificate for a management object?

Hi All,

We are trying to determine what VPN certificates will expire in the near future in our customer's environment (running version R77.30). Please review the following example output from one of their CMA:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
3 certs found.
Subject = CN=BG-domain_Management_Server VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 37172   DP = 1
Not_Before: Sun Jan 26 14:08:43 2014   Not_After: Sat Jan 26 14:08:43 2019
Subject = CN=mgmt-fake VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 82103   DP = 1
Not_Before: Sun Jan 26 13:57:52 2014   Not_After: Sat Jan 26 13:57:52 2019
Subject = CN=bg-gw-utm270 VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 93179   DP = 1
Not_Before: Sat Jan 12 21:55:45 2019   Not_After: Fri Jan 12 21:55:45 2024

Note: "bg-gw-utm270" is their one and only Security Gateway in their CMA in question.

The real question is why "BG-domain_Management_Server" and "mgmt-fake" have VPN certificates? They are both Check Point management type objects, therefore at first sight, this look very odd why they have such certificate. Can you help us with a good explanation?

In addition, how exactly those certificates can be renewed?

Thanks in advance.

1 Reply
PhoneBoy
Admin
Admin
‎2019-01-16 07:12 PM

Management servers are also endpoints for Certificate Revocation Lists.

My guess is those certificates are relevant for that.

These certificates can be renewed manually.

You will get warnings in SmartDashboard when the certificates are about to expire (60 days before).

Upon installing Security Policy, Security Management server warns about expiring Security Gateway ce... 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events