This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
BrianHansen
Participant
‎2026-01-15 05:53 AM
Jump to solution

ICA change IP to FQDN

Hello,

I have a customer who would like to change the ICA certificate from containing the SmartCenter IP address to the SmartCenter FQDN.

I have explained that changing the ICA certificate involves additional tasks, such as re-establishing SIC and updating VPN clients, but the customer is aware of this and accepts it.

I am unable to find a procedure for this, has anyone completed such a change successfully and is it supported ?

Best Regards

Brian Hansen

 

0 Kudos
1 Solution

Accepted Solutions
BrianHansen
Participant
‎2026-01-19 02:38 AM
In response to the_rock
Jump to solution

Hello Andy,

It has turned out the the main issue, was related to the SmartCenter and gateways web certificates, so the plan is to replace these with a certificate signed by the internal CA.

Thank you for all replies.

Best Regards

Brian Hansen 

View solution in original post

11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-01-15 10:41 AM
Jump to solution

Hey Brian,

Im fairly sure you can do this, BUT, catch is you would need to re-initialize ica from cpconfig on mgmt, then reset sic, as sic would be broken to all gateways managed by it.

Best,
Andy
"Have a great day and if its not, change it"
alisson-lima
Explorer
Explorer
‎2026-01-15 11:29 AM
Jump to solution

Hey Brian,

In addition to Andy's comments, I am not sure if you can replace the IP for a FQDN. Is there any security compliance to do it?

I recommend you to read the R81.20 admin guide for management server. There is a command cp_conf ca that allows you to add the FQDN, I'd test it in lab first.

cp_conf ca

Alisson Lima
CCSM Elite


the_rock
MVP Diamond
MVP Diamond
‎2026-01-15 12:02 PM
In response to alisson-lima
Jump to solution

That should work:

 

[Expert@CP-MANAGEMENT:0]# cp_conf ca

Usage:
cp_conf ca init # Initializes Internal CA
cp_conf ca fqdn <name> # Sets the name of the Internal CA
[Expert@CP-MANAGEMENT:0]#

Best,
Andy
"Have a great day and if its not, change it"
BrianHansen
Participant
‎2026-01-19 01:44 AM
In response to the_rock
Jump to solution

Hello Andy,

Thank you for replying.

I do not think this will fix my issue. The issue is that the Commonname (CN) of the certificate contains the IP address of the ICA (by default). The command cp_conf ca fqdn <name>, will do the following:
The Management Server uses the specified "<FQDN Name>" to configure the Certificate Revocation List Distribution Point (CRL DP) property in all certificates that the ICA generates.

  • The existing certificates for configured objects are not revoked.

  • The existing ICA certificate is not changed.

Best Regards

Brian Hansen

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-19 04:26 AM
In response to BrianHansen
Jump to solution

k, fair enough.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2026-01-15 04:41 PM
Jump to solution

ICA is already based on FQDN by default. It's why you can change the IP of your management server without resetting SIC (if you do it right).

Do you not have the FQDN in yours?

the_rock
MVP Diamond
MVP Diamond
‎2026-01-15 06:35 PM
In response to emmap
Jump to solution

Thats true...changing IP would definitely not break SIC.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
BrianHansen
Participant
‎2026-01-19 02:34 AM
In response to emmap
Jump to solution

Hello Emma,

Thank you for replying.

I do not fully understand, what you mean by the ICA is based on FQDN by default. When I check the certificate, the CN is based on the IP of the SmartCenter, by default.

SIC continues to work after SMC IP change, but AutoRenewal of the Certificate will fail, as that is also IP based.

sk103356:

IP Address of the Internal Certificate Authority (ICA) of Security Management Server / Domain Management Server is automatically added to Check Point Registry file ($CPDIR/registry/HKLM_registry.data) on Security Gateway when SIC is first established (between Security Gateway and Management Server).

If the IP Address of a Security Management Server / Domain Management Server is changed, and SIC is never manually reset (between a Security Gateway and a Management Server), then the AutoRenewal of the Certificate will fail.

Preview file
35 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-01-16 07:08 PM
Jump to solution

Hey Brian,

Happy weekend!

Please let us know how this process goes.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
BrianHansen
Participant
‎2026-01-19 02:38 AM
In response to the_rock
Jump to solution

Hello Andy,

It has turned out the the main issue, was related to the SmartCenter and gateways web certificates, so the plan is to replace these with a certificate signed by the internal CA.

Thank you for all replies.

Best Regards

Brian Hansen 

the_rock
MVP Diamond
MVP Diamond
‎2026-01-19 04:26 AM
In response to BrianHansen
Jump to solution

Glad you got it.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events