Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Shover
Explorer
Jump to solution

VPN Certificate renewal

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal.  I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates.  I have been bitten by the certificate expiration and VPN tunnel drops causing an outage.  I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process.  Wondering if we can use the mgmt_cli to do something more automated.  Any ideas?

0 Kudos
37 Replies
JayP02
Explorer

Is there any further update on when the mechanism to do mass renew of certificates is likely to release?

 

dafi-sg
Explorer

Hi 

Are there any news on that? Is this on the roadmap for R82?

BTW: is there any way to mass renew the certificates of a Gaia Portal (or at least a way to create and renew it on the box itself if you do not have any multiportal features active)?

Reason: my customer also have more than hundred firewalls and it looks like we have to renew VPN and Gaia Certificate once a year manually. Customer is not amused ... 😉

0 Kudos
Wolfgang
Authority
Authority

@dafi-sg  I’ve no solution for an automatic renewal but you can extend the 1 year period to 3 year via „cpca_client set_cert_validity -k IKE -y 3“

have a look at IKE certificate validity period has changed from 5 years to 1 year by default 

0 Kudos
ptuttle_2
Contributor

We had a meeting a few weeks back with our Check Point Sales Team and some internal Check Point folks and they said, They are working on a solution to this for some type of auto renewal process.  They were not able to say exactly when something would be out, but thought soon, 

0 Kudos
Simon_Macpherso
Advisor

Hi, is there any further update to this? 

0 Kudos
PhoneBoy
Admin
Admin

Last I've heard is that there will be APIs for managing all this in R82.
I assume this also means we'll have some UI for it in SmartConsole, but haven't received confirmation of that.

As for getting this functionality in current releases, I haven't heard an update yet.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Hello,

Any update on auto renewal of VPN certs ? The only workaround so far is to change default validity of VPN (IKE) certificates from default 1 year to maximum of 3 years. After 3 years, you have to renew VPN cert manually (still).

Looping in @Liel_Shaish who was RnD owner of Check Point Internal Certificate Authority back in 2021 (see relevant thread IKE certificate validity during renew on R81).

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

To provide an update: we have a script that will renew all the IKE certificates in a given management domain or MDS server.
It requires some code changes in the management that will be released in an upcoming JHF.
Integration has been done for R81.20 (PRJ-47019) and R81.20 (PRJ-47018), R81 is still in progress.
All of this will be in an SK, which will be released once the JHF including the necessary fixes are public.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events