Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Shover
Explorer
Jump to solution

VPN Certificate renewal

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal.  I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates.  I have been bitten by the certificate expiration and VPN tunnel drops causing an outage.  I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process.  Wondering if we can use the mgmt_cli to do something more automated.  Any ideas?

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
You can call that specific command using the run-script API but beyond that, there aren't any APIS for this.
Of course, if you're using the ICA, certificates should auto-renew on their own.

View solution in original post

0 Kudos
(1)
PhoneBoy
Admin
Admin

To provide an update: we have a script that will renew all the IKE certificates in a given management domain or MDS server.
It requires some code changes in the management that will be released in an upcoming JHF.
Integration has been done for R81.20 (PRJ-47019) and R81.20 (PRJ-47018), R81 is still in progress.
All of this will be in an SK, which will be released once the JHF including the necessary fixes are public.

View solution in original post

46 Replies
PhoneBoy
Admin
Admin
You can call that specific command using the run-script API but beyond that, there aren't any APIS for this.
Of course, if you're using the ICA, certificates should auto-renew on their own.
0 Kudos
(1)
Vincent_Bacher
Advisor
Advisor

I am sorry, i just wanted to click on reply and clocked on solution by mistake.

@PhoneBoy: I have a question regarding VPN certificate renewal.

You wrote that when using ICA, IKE certificates should be renewed automatically. So far so good.
My question is: When is this performed? Directly after the time of expiry? Or earlier?

I have a customer here with ~300 SMB appliances (1100 series) where round about 150 certificates will expire in the next weeks.
All gateways are managed by SmartProvisioning except central gateway which is not a smb of course.

So for them it's really important to know this exactly. Where can we get a proof explanation of that?

Will open a SR in addition to this reply as soon as i have necessary rights in uc for that customer account.

Cheers

Vincent

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
PhoneBoy
Admin
Admin
For SIC in particular, it looks like that does not auto-renew on SMB per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe it starts the auto-renewal process 60 days before.
0 Kudos
Vincent_Bacher
Advisor
Advisor

In this case, the next certificates will expire at 12th of July. So here something is going wrong,  right? 

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
PhoneBoy
Admin
Admin
Agreed and it might be good to get the TAC involved.
0 Kudos
Vincent_Bacher
Advisor
Advisor

tnx, sr is created

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Duane_Toler
Advisor

Like you, I've been seeing IKE certificates [SmartCenter-managed] not getting auto-renewed like they should.  Not sure what's failing, but something certainly is amiss.  This seems to be some R80-specific issue; I certainly don't recall this error with R77 and earlier. 

0 Kudos
Vincent_Bacher
Advisor
Advisor

Interesting. I think it's not relevant if it's SmartProvisioning or SmartCenter as it's the same internal ca.

Opened a high prio sr 6 hours ago and had to press escalate to get the first update "is this internal or external ca" 😁

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Vincent_Bacher
Advisor
Advisor

Now i received mail from tac:

I wanted to update you that this option is not available and the certificates on the GW will need to be renewed manually.

As we are talking about round about 250 certificates, I am not really amused.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
(1)
JozkoMrkvicka
Authority
Authority

well, someone from your team will be very happy to do this monkey job...

But at least, he/she will get a lot of overtimes 😄

Kind regards,
Jozko Mrkvicka
0 Kudos
Vincent_Bacher
Advisor
Advisor
In our case customer will have to do it. Would be bit expensive paying for that nonsense
and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Duane_Toler
Advisor

That's particularly disturbing, as it worked in R77 and earlier.  Plus it also defeats the purpose of a centralized certificate and key management server.

 

I suspect someone at TAC is either A) wrong, or B) not realizing they have a bug.  Might could contact your SE and escalate (annoying, I know).  I say it's a bug.

 

0 Kudos
JozkoMrkvicka
Authority
Authority
There are dozens of features which were available in R77, but are missing in R80. In most of cases, you are asked to create RFE...
Kind regards,
Jozko Mrkvicka
0 Kudos
Duane_Toler
Advisor

Now another case of customer's gateway VPN certificates expiring.  My customer is already asking about switching to Meraki.  They already did it for some smaller sites.  If Check Point isn't going to fix auto-renewal of VPN certificates, you'll be losing more customers.  What's the point of the FW1_ica_pull and FW1_ica_push services if certificates aren't being auto-renewed?  I never had to do this manually in R77 and lower.

 

The next time my customer(s) mention "Meraki" or "Firepower", I'm not going to stop them.  Esp. as I'm CCNP R/S, CCDP, and CCNP Security, too.

0 Kudos
Vincent_Bacher
Advisor
Advisor
To be honest, I agree. But.
Before getting absolute certainty, my customer has already revoked all certs manually and nobody cares what will be in five years.
and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Don_Sudom
Explorer

You could use this as a cron job from the management server:
1 1 * * * . /opt/CPshared/5.0/tmp/.CPprofile.sh; cpca_client lscert -stat Valid | tail -n +4 | awk 'BEGIN {RS="\n\n"; FS="\n";} {print $1,$2,$3;}' | logger -t lscert

And then here is a nice splunk alert:

index=gaia process=lscert
| rex field=_raw "lscert:\s+Subject\s+=\s+(?<dn>.*)\s+Status\s+=.*Not_After:\s+(?<expiry>.*)"
| eval expiry=strptime(expiry, "%a %B %d %H:%M:%S %Y")
| dedup dn,Kind
| where expiry < relative_time(_time, "+90d")
| eval days_left=floor((expiry-now())/86400)
| eval expiry=strftime(expiry,"%Y-%m-%dT%H:%M:%S%z")
| table _time,dn,Kind,expiry,days_left

dt7
Contributor

Hi @PhoneBoy ,

Regarding that part you mentionned:


@PhoneBoy wrote:
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe it starts the auto-renewal process 60 days before.

How does the renewal process actually happen? You will see an alert on SmartConsole starting 60days before and it will auto-renew at the next policy push is it?

I had a case recently of an SMB gateway (R81.10) were the VPN certificate did not auto-renew and expired after 1year so I am wondering. I got a notification about the issue when I pushed a policy again.


Thanks.

0 Kudos
PhoneBoy
Admin
Admin

One thing that is not auto-renewed is the ICA itself.
That, for sure, has to be done manually.
https://support.checkpoint.com/results/sk/sk158096 

There's also an SK that talks about manually renewing the gateway's VPN certificate: https://support.checkpoint.com/results/sk/sk178304 
At least in R81.20, it should give you a warning about the need for this.
Can't find documentation that this certificate is auto-renewed.

The only place that explicitly mentions renewal of certificates is for users to authenticate to the VPN.
That has an SK that discusses debugging the process: https://support.checkpoint.com/results/sk/sk114952 

0 Kudos
ptuttle_2
Contributor

There seems to be confusion on the auto renewal of VPN site to site certs.  Seem to recall R77.30 had the ability to auto renew but not 100% sure of that. 

I performed SK170558 to see how many years IKE certs could be extended and could only get 3 years.

Doing SK178304 manually for several hundred Gateways will be very painful.  Anyone have knowledge of a script that could do this?

Also would like to know if R77.30 had this ability why would Check Point not include this in a newer version.

But for the ICA looks like this will now auto renew?  Take 26 R81.20

PRJ-44577,
PMTR-90463

Internal CA

NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

0 Kudos
PhoneBoy
Admin
Admin

I forgot R81.20 added the ability to auto-renew the ICA.
However, that doesn't help with the VPN certificates for gateways.
The actions required to renew the VPN certificates don't currently have API support and don't believe they can be scripted.

0 Kudos
cir007
Contributor
Contributor

Hello,

so to summarize, there is no way to automate the S2S IPsec VPN certificate on full Gaia platform? If you have one hundred S2S locations, that mean that all of the locations have to be renewed manually...every year. I think that I speak for the whole community when I say that "autorenew IPsec cert" should be at least an enable/disable feature.

 

Br

CheckPointerXL
Advisor
Advisor

Hi all

any update on auto-renewal VPN Certificates feature?

any API Script?

thanks

0 Kudos
Hugo_vd_Kooij
Advisor

From what I recall the autorenewal should work on most recent versions that are on the latest GA JHF. In the JHF release notes you will find some references into which things were fixed in which release. 

If you still have issues after the fact not listed in Secure Knowledge I strongly recommend a TAC case.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
CheckPointerXL
Advisor
Advisor

autorenewal in latest JHF is related to ICA Root CA not certificates for vpn, multiportal etc. from what i know

0 Kudos
ptuttle_2
Contributor

We are getting ready to order several hundred SMBs for site to site VPN back to our head end Check Point GWs.

Even if we expand the Internal certs on our SMS from 1 year to 3 years,  Are We going to have to manually renew our VPN certs at 3 years?

I always thought this VPN auto renewal worked in previous version (Pre-R80)  but I cannot seem to find anything stating this, other than this.

R81.10 Take 95
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

0 Kudos
CheckPointerXL
Advisor
Advisor

That's what i said

Pay attention with certs longer than 1yr, you can face problem like this https://support.checkpoint.com/results/sk/sk180644

0 Kudos
ptuttle_2
Contributor

Thanks.  Did not realize this (sk180644).  And I can't see us renewing hundreds of these VPNs on a yearly basis.

0 Kudos
PhoneBoy
Admin
Admin

We plan on releasing a mechanism to do a mass renew of certificates in the coming weeks. 

(3)
ptuttle_2
Contributor

That's GREAT news!!.  Thanks very much for the update.

-pat

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events