While reviewing SIC certificates on my gateways using:

cat /pfrm2.0/config1/fw1/registry/HKLM_registry.data | grep SIC

I noticed:

• In MySICName, CN corresponds to the gateway name (SMB/branch firewall).

• O is the same as the O value on the duplicate SMS SIC certificates (cp_mgmt and cp_mgmt_mysms).

Additionally, I checked the VPN certificates and noticed that the O field there is identical to the O on the SMS SIC duplicates, while the CN reflects the respective gateway.

From what I understand:

• All gateways and SMS share the same ICA (O).

• The CN is unique per gateway, but the authority (O) is the same.

• VPN certificates seem to trust the same ICA, which may explain why revoking SMS SIC duplicates might not impact VPN tunnels.

My question is:

If I revoke the duplicate cp_mgmt certificates in the SMS and generate a new single CN=cp_mgmt, can I assume that:

1. SIC trust with gateways will remain intact

2. S2S VPNs will not be affected

…since the ICA (O) does not change?

I understand that the real risk would be losing the SMS private key associated with the active SIC certificate. Losing it would break the SMS’s ability to authenticate with gateways, but as long as I have a backup of sic_cert.p12 and/or a snapshot of the SMS, this risk should be mitigated.

Any clarification or confirmation from those who have done this safely would be greatly appreciated!

Technically, your assumption is right. Also, you would never see CN in server list for mgmt cert in smart console and O would ALWAYS show the same for that cert, as well as vpn ones for gateways managed by it.

Andy

From my lab and dont worry about ones that say john smith and ica mgmt, that was when I was testing ICA tool access, there is separate SE server, 1 cluster and 1 single gw.

Andy

[Expert@CP-MANAGEMENT:0]# cpca_client lscert -kind SIC -stat Valid
Operation succeeded. rc=0.
10 certs found.

Subject = CN=cp_mgmt,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 24352 DP = 0
Not_Before: Wed Jul 3 19:39:19 2024 Not_After: Tue Jul 3 19:39:19 2029

Subject = CN=cp_mgmt,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 32626 DP = 0
Not_Before: Wed Jul 3 19:39:26 2024 Not_After: Tue Jul 3 19:39:26 2029

Subject = CN=CP-FW-01,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 32914 DP = 0
Not_Before: Wed Jul 3 21:17:44 2024 Not_After: Tue Jul 3 21:17:44 2029

Subject = CN=CP-SMARTEVENT,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 40243 DP = 0
Not_Before: Wed Apr 9 10:04:56 2025 Not_After: Wed Apr 10 10:04:56 2030

Subject = CN=CP-GW,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 44546 DP = 0
Not_Before: Tue Apr 8 15:39:36 2025 Not_After: Tue Apr 9 15:39:36 2030

Subject = CN=CP-FW-02,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 50320 DP = 0
Not_Before: Wed Jul 3 21:18:24 2024 Not_After: Tue Jul 3 21:18:24 2029

Subject = CN=cp_mgmt,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 64032 DP = 0
Not_Before: Wed Jul 3 19:39:10 2024 Not_After: Tue Jul 3 19:39:10 2029

Subject = CN=john_smith,OU=users,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 71761 DP = 0
Not_Before: Sun Jun 29 13:56:17 2025 Not_After: Sun Jun 30 13:56:17 2030

Subject = CN=CP-MANAGEMENT,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 79791 DP = 0
Not_Before: Wed Aug 14 15:10:32 2024 Not_After: Tue Aug 14 15:10:32 2029

Subject = CN=mgmt-ica,OU=users,O=CP-MANAGEMENT..pi6w5j
Status = Valid Kind = SIC Serial = 96322 DP = 0
Not_Before: Tue Sep 3 14:38:33 2024 Not_After: Mon Sep 3 14:38:33 2029
[Expert@CP-MANAGEMENT:0]#

Thanks again for your previous feedback—it was really helpful. I have another question regarding the SIC certificates on my SMS.

When I inspect the certificates, I notice that in the Issuer field, under O, it does not show the name of my current SMS.

A bit of history: this SMS console was originally attempted to be set up in HA, and I’m not sure if that could be the reason why there are currently duplicate SIC certificates (cp_mgmt and cp_mgmt_mysms).

I also noticed that in your lab screenshots, the O field matches the SMS name (CP-MANAGEMENT), which is different from what I see in my environment.

My questions are:

• Normally, should the Issuer O field show the current SMS name, or is it expected to have another value (like the original SMS from the HA attempt)?

• Could these duplicates be a leftover from the previous HA setup, or is this behavior normal?

I just want to understand if it’s expected that O doesn’t match the current SMS name, so I can proceed confidently with cleanup.

Thanks in advance for any clarification!

All good, questions are free lol

Can you give an example, I can check the lab? Gotta jump on harmony sase call shortly...fun times haha

Andy

Here’s an example from my environment for reference:

SMS certificate:

• CN = cp_mgmt

• O = ExampleName...abedfas (even though my SMS is called MySMS)

Gateway certificate:

• CN = <gateway_name>

• O = ExampleName...abedfas

Does O match in both cases?

Andy

Yes

Gateway AND mgmt?

Yes, in both

Then it would be fine. But again, in all honesty, and this is just my HONEST suggestion, apart from all you suggested and what we discussed, I would 100% get backup AND snapshot (if possible, of mgmt server) and definitely do open proactive case for this. I get every TAC is break-fix, but in cse something did happen (hopefully not), you have the case to rely on, without having to spend time having one created.

If you need me to test anything in ICA tool, let me know.

Best,

Andy

Not sure if you followed below, but if not, I would enable ICA mgmt tool, much easier.

Andy

https://support.checkpoint.com/results/sk/sk30501

@jennyado Sorry...I read your post CAREFULLY again and those steps make perfect sense to me. Honestly though, just to be on the safe side, I would open proactive TAC case myself, in case anything happens. I also attached some screenshots from my lab.

Andy

Also Jenn, if you are ever in doubt, just see what this line says on your side...this HAS TO MATCH for all gateways (or entities if you will) managed by that mgmt server.

Andy

Issuer: O=CP-MANAGEMENT..pi6w5j (my lab example)

What I recall from having to recreate MultiDomain SIC as the renewal didn't work at the point where whe did change the SIC for the Domain with a lot of VPN's we created an outage.

It was a short one as we had a team doing SIC reset like crazy and it was announced.

But if this was the issue with Domain SIC that was based on a new certificate.

Think of if like build a new CA and issueing certificates from it.

So I would schedulke an outage.

I agree with you Hugo 100%. In my opinion, this would be way too risky to do during regular hours.

Andy

Excellent job, glad you got it working.

Andy