This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
StevePearson
Collaborator
‎2025-10-16 09:12 AM
Jump to solution

Internal CA problem

I have a system where there is a cluster at the main office along with the management server. There are then several branch offices that have Sparks, all of which are managed from the same management server. This is working nicely.

One of the remote sites has been running pen tests for PKI compliance and they are failing because the gateway is showing the CA cert which is self signed (not a problem as we can mitigate that), but the cert also supports MD5 and SHA-1, and that is a straight fail.

So I think i'm going to have to regenerate the CA cert, but that's going to break all SIC connections I believe.

Has anyone got any advice on the best way to do this please?

0 Kudos
1 Solution

Accepted Solutions
Lesley
MVP Gold
MVP Gold
‎2025-10-16 10:59 AM
Jump to solution

https://support.checkpoint.com/results/sk/sk103840
Are we here talking about the ssl certificate or vpn certificate? Or just only the sic? Sic reset on Gaia embedded will bring back default policy. On normal Gaia you can perform sic reset without impact (special procedure)

 

sic reset no impact Gaia: https://support.checkpoint.com/results/sk/sk86521

sic reset Gaia embedded 

https://support.checkpoint.com/results/sk/sk161532

From sk 3840:

In R77.X and lower versions, by default, the Internal CA (ICA) issues certificates based on the SHA-1 algorithm.

In R80.xx, by default, the SHA-256 signature algorithm signs the Internal Certificate Authority (ICA).

Certificates issued by the ICA inherit the same signature algorithm as the ICA certificate. For example, as long as the signature algorithm of the ICA certificate is SHA-1, all certificates issued by it have the SHA-1 signature algorithm. Even when SHA-256 signs the recreated ICA root certificate, old certificates issued by the old ICA root certificate stay with the SHA-1 signature algorithm.

 

-------
Please press "Accept as Solution" if my post solved it 🙂

View solution in original post

4 Replies
Lesley
MVP Gold
MVP Gold
‎2025-10-16 10:59 AM
Jump to solution

https://support.checkpoint.com/results/sk/sk103840
Are we here talking about the ssl certificate or vpn certificate? Or just only the sic? Sic reset on Gaia embedded will bring back default policy. On normal Gaia you can perform sic reset without impact (special procedure)

 

sic reset no impact Gaia: https://support.checkpoint.com/results/sk/sk86521

sic reset Gaia embedded 

https://support.checkpoint.com/results/sk/sk161532

From sk 3840:

In R77.X and lower versions, by default, the Internal CA (ICA) issues certificates based on the SHA-1 algorithm.

In R80.xx, by default, the SHA-256 signature algorithm signs the Internal Certificate Authority (ICA).

Certificates issued by the ICA inherit the same signature algorithm as the ICA certificate. For example, as long as the signature algorithm of the ICA certificate is SHA-1, all certificates issued by it have the SHA-1 signature algorithm. Even when SHA-256 signs the recreated ICA root certificate, old certificates issued by the old ICA root certificate stay with the SHA-1 signature algorithm.

 

-------
Please press "Accept as Solution" if my post solved it 🙂
StevePearson
Collaborator
‎2025-10-17 01:32 AM
In response to Lesley
Jump to solution

I thought it was the SIC, but having received more info this morning it could actually be the VPN. 

There are 2 IPSEC tunnels, one to the head office that will be secured using an internal cert from the CA, so that will have the SHA-1 signature as you say. The second tunnel is to Harmony SASE, so thats Shared Secret.

I'm wondering if the tunnel to head office is removed, would this remove the issue, so i'm going to test this over the weekend.

(1)
the_rock
MVP Platinum
MVP Platinum
‎2025-10-17 01:56 AM
In response to StevePearson
Jump to solution

Good idea Steve, worth trying, for sure.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-16 12:23 PM
Jump to solution

Hey Steve,

Im fairly sure what @Lesley provided will work, but if any issues, definitely contact TAC.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events