Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Enrico
Participant

IKE certificate validity during renew on R81

Hello,
I'm wondering if anyone has noticed what has changed regarding the duration of ike certificates on gateways on management R81 and later.
In fact, I noticed that, by renewing a gateway ike certificate, it is renewed by default for only one year. Even trying to change the default configuration using the command cpca_client set_cert_validity -k IKE -y x it is no longer possible to obtain certificates with a duration of 5 years. Does anyone know the reason for this change, has he found documentation about it or is he aware that a functioning auto-renewal mechanism has been implemented?

A default validity of one year, a maximum of 3 years and the necessity to renew it manually introduce a overhead that in my opinion should be advertised more

 

Regards 

Enrico

0 Kudos
3 Replies
Liel_Shaish
Employee
Employee

Hello Enrico,

My name is Liel Shaish, I’m the RnD owner of the Check Point Internal Certificate Authority.

The reason for this change was to align our products with a top industry standard for certificate authority, and provide our security recommendation for certificate validity period. Shorter validity period will mitigate security risks when a private key is compromised.

The change was documented in sk176527 and was integrated into R81.10 version and into Jumbo Hotfix Accumulators for R80.20, R80.30, R80.40, and R81 versions. Of course, we always seek to improve our communication channels with customers.

We will learn from this feedback and document it in a better and clearer way. Although these are the recommended setting (1 year default and up to 3 years), we will provide an option to extend it beyond that according to customer’s decision.

Thank you for sharing this important feedback,
Liel

Sajgon107
Participant

Hello,

is there any way how to enable auto renewal on IKE certs or does it have to be each time (based on expiration period) renewed manually?

 

0 Kudos
the_rock
Legend
Legend

I dont believe they can be renewed automatically. In R81.20 it gives warning in smart console 60 days before expiration, but in previous versions, I believe its still 15 days, which is still plenty of time. I renewed it day before it expired few times before and never had any issues.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events