Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Garrett_DirSec
Advisor

ICA issues with multiple "cn=cp_mgmt" certs and how this affect R81+ platform

Hello -- I have encountered various instances of the "certificate revoked" issue for a SmartConsole connecting to a newly upgraded R81 SmartCenter.    The issue happened to be ICA having issued multiple "cn=cp_mgmt" certs -- all valid -- for same smartcenter host.

I was surprised to encounter a customer environment with SmartCenter running default ISO R81, had TEN valid "cn=cp_mgmt" certs, upgraded from R77xx, and was NOT exhibiting the "certificate revoked" SmartCopnsole connect issue, 

We upgraded environment (including distributed gateways) to R81.10 with Jumbo GA take 30.    ICA and "cn=cp_mgmt" underlying issue not resolved.    Since this is known issue (SK169553  ), I figured that Checkpoint would adddress via hotfix and/or manager rev upgrade.

While we investigated another annoying problem with R81.10 breaking connectivity for LDAP account unit (and thus ADQuery), I checked on multiple "cn=cp_mgmt" certs and surprised to see multiple (in this case:  ten valid certs,  there should be only ONE).

Since the R81.10 (and subsequent R81 jumbos) not fixing this issue behind the scenes, what are the ramifications and potential issues customer would experience (other than "certificate revoked" in SmartConsole)?

What are the potential issues Checkpoint community will experience with potentially large number of customers have this issue and many unaware?

 

 

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

There are two issues I see here:

  • The fact we generated more than one valid management cert
  • The fact there are "certificate revoked" and similar messages when there is more than one valid management cert

The first issue could have already been fixed in the JHF.
The second, which is probably caused by the first issue, might be difficult to clean up in an automated fashion without other side effects, which is probably why it's not in a JHF.

That's just my take, of course.

0 Kudos
Juan_
Collaborator

I've seen this issue many times in R80.20+.

With different symptoms but always quite easy to discover:

  • Customer sees a new fingerprint
  • Customer sees certificate revoked and can't login
  • Customer can log in but SIC is lost to gw
  • Customer can log in, GWs look "connected" but then you can't push policy
  • Errors opening gateway objects

All in all, its always been easy to fix recreating the the sic cert as per the sk you are sharing.

But am not sure what causes the issue or why it happens.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events