I am sorry, i just wanted to click on reply and clocked on solution by mistake.

@PhoneBoy: I have a question regarding VPN certificate renewal.

You wrote that when using ICA, IKE certificates should be renewed automatically. So far so good.
My question is: When is this performed? Directly after the time of expiry? Or earlier?

I have a customer here with ~300 SMB appliances (1100 series) where round about 150 certificates will expire in the next weeks.
All gateways are managed by SmartProvisioning except central gateway which is not a smb of course.

So for them it's really important to know this exactly. Where can we get a proof explanation of that?

Will open a SR in addition to this reply as soon as i have necessary rights in uc for that customer account.

Cheers

Vincent

In this case, the next certificates will expire at 12th of July. So here something is going wrong,  right? 

tnx, sr is created

Like you, I've been seeing IKE certificates [SmartCenter-managed] not getting auto-renewed like they should.  Not sure what's failing, but something certainly is amiss.  This seems to be some R80-specific issue; I certainly don't recall this error with R77 and earlier. 

Interesting. I think it's not relevant if it's SmartProvisioning or SmartCenter as it's the same internal ca.

Opened a high prio sr 6 hours ago and had to press escalate to get the first update "is this internal or external ca" 😁

Now i received mail from tac:

I wanted to update you that this option is not available and the certificates on the GW will need to be renewed manually.

As we are talking about round about 250 certificates, I am not really amused.

well, someone from your team will be very happy to do this monkey job...

But at least, he/she will get a lot of overtimes 😄

That's particularly disturbing, as it worked in R77 and earlier.  Plus it also defeats the purpose of a centralized certificate and key management server.

I suspect someone at TAC is either A) wrong, or B) not realizing they have a bug.  Might could contact your SE and escalate (annoying, I know).  I say it's a bug.

Now another case of customer's gateway VPN certificates expiring.  My customer is already asking about switching to Meraki.  They already did it for some smaller sites.  If Check Point isn't going to fix auto-renewal of VPN certificates, you'll be losing more customers.  What's the point of the FW1_ica_pull and FW1_ica_push services if certificates aren't being auto-renewed?  I never had to do this manually in R77 and lower.

The next time my customer(s) mention "Meraki" or "Firepower", I'm not going to stop them.  Esp. as I'm CCNP R/S, CCDP, and CCNP Security, too.

You could use this as a cron job from the management server:
1 1 * * * . /opt/CPshared/5.0/tmp/.CPprofile.sh; cpca_client lscert -stat Valid | tail -n +4 | awk 'BEGIN {RS="\n\n"; FS="\n";} {print $1,$2,$3;}' | logger -t lscert

And then here is a nice splunk alert:

index=gaia process=lscert
| rex field=_raw "lscert:\s+Subject\s+=\s+(?<dn>.*)\s+Status\s+=.*Not_After:\s+(?<expiry>.*)"
| eval expiry=strptime(expiry, "%a %B %d %H:%M:%S %Y")
| dedup dn,Kind
| where expiry < relative_time(_time, "+90d")
| eval days_left=floor((expiry-now())/86400)
| eval expiry=strftime(expiry,"%Y-%m-%dT%H:%M:%S%z")
| table _time,dn,Kind,expiry,days_left

Hi @PhoneBoy ,

Regarding that part you mentionned:

---

@PhoneBoy wrote:
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe it starts the auto-renewal process 60 days before.

---

How does the renewal process actually happen? You will see an alert on SmartConsole starting 60days before and it will auto-renew at the next policy push is it?

I had a case recently of an SMB gateway (R81.10) were the VPN certificate did not auto-renew and expired after 1year so I am wondering. I got a notification about the issue when I pushed a policy again.

Thanks.

One thing that is not auto-renewed is the ICA itself.
That, for sure, has to be done manually.
https://support.checkpoint.com/results/sk/sk158096 

There's also an SK that talks about manually renewing the gateway's VPN certificate: https://support.checkpoint.com/results/sk/sk178304 
At least in R81.20, it should give you a warning about the need for this.
Can't find documentation that this certificate is auto-renewed.

The only place that explicitly mentions renewal of certificates is for users to authenticate to the VPN.
That has an SK that discusses debugging the process: https://support.checkpoint.com/results/sk/sk114952 

There seems to be confusion on the auto renewal of VPN site to site certs.  Seem to recall R77.30 had the ability to auto renew but not 100% sure of that. 

I performed SK170558 to see how many years IKE certs could be extended and could only get 3 years.

Doing SK178304 manually for several hundred Gateways will be very painful.  Anyone have knowledge of a script that could do this?

Also would like to know if R77.30 had this ability why would Check Point not include this in a newer version.

But for the ICA looks like this will now auto renew?  Take 26 R81.20

I forgot R81.20 added the ability to auto-renew the ICA.
However, that doesn't help with the VPN certificates for gateways.
The actions required to renew the VPN certificates don't currently have API support and don't believe they can be scripted.

Hello,

so to summarize, there is no way to automate the S2S IPsec VPN certificate on full Gaia platform? If you have one hundred S2S locations, that mean that all of the locations have to be renewed manually...every year. I think that I speak for the whole community when I say that "autorenew IPsec cert" should be at least an enable/disable feature.

Br

From what I recall the autorenewal should work on most recent versions that are on the latest GA JHF. In the JHF release notes you will find some references into which things were fixed in which release. 

If you still have issues after the fact not listed in Secure Knowledge I strongly recommend a TAC case.

autorenewal in latest JHF is related to ICA Root CA not certificates for vpn, multiportal etc. from what i know

We are getting ready to order several hundred SMBs for site to site VPN back to our head end Check Point GWs.

Even if we expand the Internal certs on our SMS from 1 year to 3 years,  Are We going to have to manually renew our VPN certs at 3 years?

I always thought this VPN auto renewal worked in previous version (Pre-R80)  but I cannot seem to find anything stating this, other than this.

R81.10 Take 95
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.

That's what i said

Pay attention with certs longer than 1yr, you can face problem like this https://support.checkpoint.com/results/sk/sk180644

Thanks.  Did not realize this (sk180644).  And I can't see us renewing hundreds of these VPNs on a yearly basis.

We plan on releasing a mechanism to do a mass renew of certificates in the coming weeks. 

That's GREAT news!!.  Thanks very much for the update.

-pat