Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Shover
Explorer
Jump to solution

VPN Certificate renewal

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal.  I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates.  I have been bitten by the certificate expiration and VPN tunnel drops causing an outage.  I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process.  Wondering if we can use the mgmt_cli to do something more automated.  Any ideas?

0 Kudos
36 Replies
JayP02
Explorer

Is there any further update on when the mechanism to do mass renew of certificates is likely to release?

 

dafi-sg
Explorer

Hi 

Are there any news on that? Is this on the roadmap for R82?

BTW: is there any way to mass renew the certificates of a Gaia Portal (or at least a way to create and renew it on the box itself if you do not have any multiportal features active)?

Reason: my customer also have more than hundred firewalls and it looks like we have to renew VPN and Gaia Certificate once a year manually. Customer is not amused ... 😉

0 Kudos
Wolfgang
Authority
Authority

@dafi-sg  I’ve no solution for an automatic renewal but you can extend the 1 year period to 3 year via „cpca_client set_cert_validity -k IKE -y 3“

have a look at IKE certificate validity period has changed from 5 years to 1 year by default 

0 Kudos
ptuttle_2
Contributor

We had a meeting a few weeks back with our Check Point Sales Team and some internal Check Point folks and they said, They are working on a solution to this for some type of auto renewal process.  They were not able to say exactly when something would be out, but thought soon, 

0 Kudos
Simon_Macpherso
Advisor

Hi, is there any further update to this? 

0 Kudos
PhoneBoy
Admin
Admin

Last I've heard is that there will be APIs for managing all this in R82.
I assume this also means we'll have some UI for it in SmartConsole, but haven't received confirmation of that.

As for getting this functionality in current releases, I haven't heard an update yet.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Hello,

Any update on auto renewal of VPN certs ? The only workaround so far is to change default validity of VPN (IKE) certificates from default 1 year to maximum of 3 years. After 3 years, you have to renew VPN cert manually (still).

Looping in @Liel_Shaish who was RnD owner of Check Point Internal Certificate Authority back in 2021 (see relevant thread IKE certificate validity during renew on R81).

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events