Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
r1der
Advisor
Jump to solution

Access Role was not working with expired self-signed certificate. Identity Collector problem.

R81.10 JHF Take 79.
Identity Collector version - R81.040.0000

I have things currently working after renewing the IPSec VPN self-signed certificate, but I am wondering if I have things setup "right"? The reason I started looking into this was my Access Role was not working. Check Point Identity Collector is installed on two servers. Under the Identity Collector app > Gateways tab it was Disconnected on both. (screenshot taken after fix)

IdCIdC

It referenced SK113021 under the Test button - Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com). I went to our cluster IP via a browser after reading that SK and other forum posts. Forum posts led me to read this as well - Identity Collector fails to connect to a Security Gateway due to MultiPortal certificate (checkpoint...
After learning certs could be an issue, I went to my cluster IP via a browser and found out the self-signed certificate expired last month.

To fix that, I had to re-enable the IPSec VPN blade (I disabled the blade since we aren't using this VPN method) and renewed the certificate and installed the policy. After those steps I was able to hit Test and it Connected fine on the IdC app. 

My questions are: - Does this setup sound correct? 
Can the self-signed certificate go longer than 1 year to avoid having to renew manually each year?

Seems like one drawback of using IDC vs AD Query..

Thanks for reading!

1 Solution

Accepted Solutions
8 Replies
the_rock
Legend
Legend

CP changed cert validity to 1 year I believe back in 2021, used to be 5 years for longest time. I know someone in R&D told me they made that decision, as it is actually industry standars. Btw, you can have VPN blade off and still use IDC, I did that in lab few times.

Andy

0 Kudos
r1der
Advisor

Yeah, I have to renew web certs every year and I guess now this.

Thanks, I figured as much since it was off beforehand till the cert self-signed cert expired.
I would turn it back off but I guess I'll leave it on to have the certificate renew button visible, so it's not hidden.

0 Kudos
the_rock
Legend
Legend

They improved this significantly in R81.20, as it gives warning way before its supposed to expire. I believe its at least 6 months, so gives plenty of time to take care of it.

Chris_Atkinson
Employee Employee
Employee
(1)
the_rock
Legend
Legend

I remember seeing that sk before Chris, but will try extend validity in the lab tomorrow and see if it works.

Cheers,

Andy

0 Kudos
the_rock
Legend
Legend

Just tried it, worked like a charm. Thanks @Chris_Atkinson 👍👍

 

Screenshot_1.png

r1der
Advisor

Perfect, thanks! I was able to increase the expiration by 3 years.

0 Kudos
r1der
Advisor

I'm still trying to understand this. Do you need the VPN certificate though? It seemed like when it expired IDC stopped working.
I think I'll test Removing the cert from the repository perhaps and see if IDC complains... but not today 😁.

 

Edit: I think the answer is to delete the certificate, after reading this again. Since it is not in use:
Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com)

  • If you can not "view" the certificate, it needs to be deleted and re-imported or permanently deleted once you have verified its not in use. 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events