Hi 

Are there any news on that? Is this on the roadmap for R82?

BTW: is there any way to mass renew the certificates of a Gaia Portal (or at least a way to create and renew it on the box itself if you do not have any multiportal features active)?

Reason: my customer also have more than hundred firewalls and it looks like we have to renew VPN and Gaia Certificate once a year manually. Customer is not amused ... 😉

@dafi-sg  I’ve no solution for an automatic renewal but you can extend the 1 year period to 3 year via „cpca_client set_cert_validity -k IKE -y 3“

have a look at IKE certificate validity period has changed from 5 years to 1 year by default 

We had a meeting a few weeks back with our Check Point Sales Team and some internal Check Point folks and they said, They are working on a solution to this for some type of auto renewal process.  They were not able to say exactly when something would be out, but thought soon, 

Hi, is there any further update to this? 

Last I've heard is that there will be APIs for managing all this in R82.
I assume this also means we'll have some UI for it in SmartConsole, but haven't received confirmation of that.

As for getting this functionality in current releases, I haven't heard an update yet.

Hello,

Any update on auto renewal of VPN certs ? The only workaround so far is to change default validity of VPN (IKE) certificates from default 1 year to maximum of 3 years. After 3 years, you have to renew VPN cert manually (still).

Looping in @Liel_Shaish who was RnD owner of Check Point Internal Certificate Authority back in 2021 (see relevant thread IKE certificate validity during renew on R81).

This is wonderful!  Thank you!

How will Smart-1 Cloud customers be handled?

I assume Smart-1 Cloud customers will need to open a TAC case to have this done.

I read through the script from the SK article, and it's quite extensive (and impressive!).  I see R81.20 JHF 54 introduced a new command and I see lots of new API-based activities, some of which are already in place. I can see where they're going with this in the future... they're tracking towards having this whole process be server-side API enabled!  That'll be quite exciting and very nice.  It's not there yet, but it's not far away.  Once they sort out how to do the openssl pkcs12 elements, they'll have it done.

I bet they can do this a lot easier than they think they can.  Link CPM to the libcrypto pieces, add the shim code for PKCS12 ... assuming GPL agrees with that.  Might have an issue there.
Anyhoo... it looks good, I like where it's going; Hopefully they can get us there quickly and bug-free. 😆

Here's what I believe are the relevant APIs coming in R82 that speaks to what you're saying 🙂

Oooo!!  Nice treat! Thanks 🙂

If you've got the R82 EA installed in a lab, you can go to https://mgmt-ip/api_docs/ and select v2 to see all the details 🙂

Sadly, I missed out on the R82 Public EA earlier.  I'll be on it like white-on-rice-on-a-paper-plate-in-a-snow-storm when it's released tho!

I checked the Ansible Mgmt API module GitHub repo and looks like they have some of the R82 modules ready to go already. I also noticed in the new 6.0.0 Mgmt API Ansible modules, there's a vsx-provisioning-tool API ! \o/   Excellent to have the API and even better to have Ansible module parity with it on Day 1.

vsx-provisioning-tool will be directly callable via API, yes.