This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Enrico
Participant
‎2021-11-15 08:30 AM

IKE certificate validity during renew on R81

Hello,
I'm wondering if anyone has noticed what has changed regarding the duration of ike certificates on gateways on management R81 and later.
In fact, I noticed that, by renewing a gateway ike certificate, it is renewed by default for only one year. Even trying to change the default configuration using the command cpca_client set_cert_validity -k IKE -y x it is no longer possible to obtain certificates with a duration of 5 years. Does anyone know the reason for this change, has he found documentation about it or is he aware that a functioning auto-renewal mechanism has been implemented?

A default validity of one year, a maximum of 3 years and the necessity to renew it manually introduce a overhead that in my opinion should be advertised more

 

Regards 

Enrico

0 Kudos
3 Replies
Liel_Shaish
Employee
Employee
‎2021-11-18 08:52 AM

Hello Enrico,

My name is Liel Shaish, I’m the RnD owner of the Check Point Internal Certificate Authority.

The reason for this change was to align our products with a top industry standard for certificate authority, and provide our security recommendation for certificate validity period. Shorter validity period will mitigate security risks when a private key is compromised.

The change was documented in sk176527 and was integrated into R81.10 version and into Jumbo Hotfix Accumulators for R80.20, R80.30, R80.40, and R81 versions. Of course, we always seek to improve our communication channels with customers.

We will learn from this feedback and document it in a better and clearer way. Although these are the recommended setting (1 year default and up to 3 years), we will provide an option to extend it beyond that according to customer’s decision.

Thank you for sharing this important feedback,
Liel

Sajgon107
Participant
‎2023-03-15 11:58 AM
In response to Liel_Shaish

Hello,

is there any way how to enable auto renewal on IKE certs or does it have to be each time (based on expiration period) renewed manually?

 

0 Kudos
the_rock
Legend
Legend
‎2023-03-15 12:40 PM
In response to Sajgon107

I dont believe they can be renewed automatically. In R81.20 it gives warning in smart console 60 days before expiration, but in previous versions, I believe its still 15 days, which is still plenty of time. I renewed it day before it expired few times before and never had any issues.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events