This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Shover
Explorer
‎2020-05-21 07:18 AM
Jump to solution

VPN Certificate renewal

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal.  I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates.  I have been bitten by the certificate expiration and VPN tunnel drops causing an outage.  I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process.  Wondering if we can use the mgmt_cli to do something more automated.  Any ideas?

0 Kudos
37 Replies
JayP02
Explorer
‎2023-10-21 03:26 AM
In response to PhoneBoy
Jump to solution

Is there any further update on when the mechanism to do mass renew of certificates is likely to release?

 

dafi-sg
Explorer
‎2024-01-03 05:25 AM
In response to PhoneBoy
Jump to solution

Hi 

Are there any news on that? Is this on the roadmap for R82?

BTW: is there any way to mass renew the certificates of a Gaia Portal (or at least a way to create and renew it on the box itself if you do not have any multiportal features active)?

Reason: my customer also have more than hundred firewalls and it looks like we have to renew VPN and Gaia Certificate once a year manually. Customer is not amused ... 😉

0 Kudos
Wolfgang
Authority
Authority
‎2024-01-03 08:51 AM
In response to dafi-sg
Jump to solution

@dafi-sg  I’ve no solution for an automatic renewal but you can extend the 1 year period to 3 year via „cpca_client set_cert_validity -k IKE -y 3“

have a look at IKE certificate validity period has changed from 5 years to 1 year by default 

0 Kudos
ptuttle_2
Contributor
‎2024-01-03 08:59 AM
In response to dafi-sg
Jump to solution

We had a meeting a few weeks back with our Check Point Sales Team and some internal Check Point folks and they said, They are working on a solution to this for some type of auto renewal process.  They were not able to say exactly when something would be out, but thought soon, 

0 Kudos
Simon_Macpherso
Advisor
‎2024-01-24 03:28 PM
In response to PhoneBoy
Jump to solution

Hi, is there any further update to this? 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-01-24 04:17 PM
In response to Simon_Macpherso
Jump to solution

Last I've heard is that there will be APIs for managing all this in R82.
I assume this also means we'll have some UI for it in SmartConsole, but haven't received confirmation of that.

As for getting this functionality in current releases, I haven't heard an update yet.

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2024-04-09 06:20 AM
In response to PhoneBoy
Jump to solution

Hello,

Any update on auto renewal of VPN certs ? The only workaround so far is to change default validity of VPN (IKE) certificates from default 1 year to maximum of 3 years. After 3 years, you have to renew VPN cert manually (still).

Looping in @Liel_Shaish who was RnD owner of Check Point Internal Certificate Authority back in 2021 (see relevant thread IKE certificate validity during renew on R81).

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2024-04-18 07:51 AM
Jump to solution

To provide an update: we have a script that will renew all the IKE certificates in a given management domain or MDS server.
It requires some code changes in the management that will be released in an upcoming JHF.
Integration has been done for R81.20 (PRJ-47019) and R81.20 (PRJ-47018), R81 is still in progress.
All of this will be in an SK, which will be released once the JHF including the necessary fixes are public.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events