This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
r1der
Advisor
‎2023-05-01 03:59 PM
Jump to solution

Access Role was not working with expired self-signed certificate. Identity Collector problem.

R81.10 JHF Take 79.
Identity Collector version - R81.040.0000

I have things currently working after renewing the IPSec VPN self-signed certificate, but I am wondering if I have things setup "right"? The reason I started looking into this was my Access Role was not working. Check Point Identity Collector is installed on two servers. Under the Identity Collector app > Gateways tab it was Disconnected on both. (screenshot taken after fix)

IdCIdC

It referenced SK113021 under the Test button - Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com). I went to our cluster IP via a browser after reading that SK and other forum posts. Forum posts led me to read this as well - Identity Collector fails to connect to a Security Gateway due to MultiPortal certificate (checkpoint...
After learning certs could be an issue, I went to my cluster IP via a browser and found out the self-signed certificate expired last month.

To fix that, I had to re-enable the IPSec VPN blade (I disabled the blade since we aren't using this VPN method) and renewed the certificate and installed the policy. After those steps I was able to hit Test and it Connected fine on the IdC app. 

My questions are: - Does this setup sound correct? 
Can the self-signed certificate go longer than 1 year to avoid having to renew manually each year?

Seems like one drawback of using IDC vs AD Query..

Thanks for reading!

1 Solution

Accepted Solutions
8 Replies
the_rock
Legend
Legend
‎2023-05-01 04:09 PM
Jump to solution

CP changed cert validity to 1 year I believe back in 2021, used to be 5 years for longest time. I know someone in R&D told me they made that decision, as it is actually industry standars. Btw, you can have VPN blade off and still use IDC, I did that in lab few times.

Andy

0 Kudos
r1der
Advisor
‎2023-05-01 04:17 PM
In response to the_rock
Jump to solution

Yeah, I have to renew web certs every year and I guess now this.

Thanks, I figured as much since it was off beforehand till the cert self-signed cert expired.
I would turn it back off but I guess I'll leave it on to have the certificate renew button visible, so it's not hidden.

0 Kudos
the_rock
Legend
Legend
‎2023-05-01 04:50 PM
In response to r1der
Jump to solution

They improved this significantly in R81.20, as it gives warning way before its supposed to expire. I believe its at least 6 months, so gives plenty of time to take care of it.

Chris_Atkinson
Employee Employee
Employee
‎2023-05-01 06:11 PM
In response to r1der
Jump to solution

For awareness:

IKE certificate validity period has changed from 5 years to 1 year by default (checkpoint.com)

CCSM R77/R80/ELITE
(1)
the_rock
Legend
Legend
‎2023-05-01 07:07 PM
In response to Chris_Atkinson
Jump to solution

I remember seeing that sk before Chris, but will try extend validity in the lab tomorrow and see if it works.

Cheers,

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-02 08:34 AM
In response to Chris_Atkinson
Jump to solution

Just tried it, worked like a charm. Thanks @Chris_Atkinson 👍👍

 

Screenshot_1.png

r1der
Advisor
‎2023-05-05 03:02 PM
In response to Chris_Atkinson
Jump to solution

Perfect, thanks! I was able to increase the expiration by 3 years.

0 Kudos
r1der
Advisor
‎2023-05-19 03:24 PM
In response to the_rock
Jump to solution

I'm still trying to understand this. Do you need the VPN certificate though? It seemed like when it expired IDC stopped working.
I think I'll test Removing the cert from the repository perhaps and see if IDC complains... but not today 😁.

 

Edit: I think the answer is to delete the certificate, after reading this again. Since it is not in use:
Identity Collector fails to connect / add / edit a Security Gateway (checkpoint.com)

  • If you can not "view" the certificate, it needs to be deleted and re-imported or permanently deleted once you have verified its not in use. 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events