Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Shover
Explorer
Jump to solution

VPN Certificate renewal

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal.  I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates.  I have been bitten by the certificate expiration and VPN tunnel drops causing an outage.  I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process.  Wondering if we can use the mgmt_cli to do something more automated.  Any ideas?

0 Kudos
46 Replies
JayP02
Explorer

Is there any further update on when the mechanism to do mass renew of certificates is likely to release?

 

dafi-sg
Explorer

Hi 

Are there any news on that? Is this on the roadmap for R82?

BTW: is there any way to mass renew the certificates of a Gaia Portal (or at least a way to create and renew it on the box itself if you do not have any multiportal features active)?

Reason: my customer also have more than hundred firewalls and it looks like we have to renew VPN and Gaia Certificate once a year manually. Customer is not amused ... 😉

0 Kudos
Wolfgang
Authority
Authority

@dafi-sg  I’ve no solution for an automatic renewal but you can extend the 1 year period to 3 year via „cpca_client set_cert_validity -k IKE -y 3“

have a look at IKE certificate validity period has changed from 5 years to 1 year by default 

0 Kudos
ptuttle_2
Contributor

We had a meeting a few weeks back with our Check Point Sales Team and some internal Check Point folks and they said, They are working on a solution to this for some type of auto renewal process.  They were not able to say exactly when something would be out, but thought soon, 

0 Kudos
Simon_Macpherso
Advisor

Hi, is there any further update to this? 

0 Kudos
PhoneBoy
Admin
Admin

Last I've heard is that there will be APIs for managing all this in R82.
I assume this also means we'll have some UI for it in SmartConsole, but haven't received confirmation of that.

As for getting this functionality in current releases, I haven't heard an update yet.

0 Kudos
JozkoMrkvicka
Authority
Authority

Hello,

Any update on auto renewal of VPN certs ? The only workaround so far is to change default validity of VPN (IKE) certificates from default 1 year to maximum of 3 years. After 3 years, you have to renew VPN cert manually (still).

Looping in @Liel_Shaish who was RnD owner of Check Point Internal Certificate Authority back in 2021 (see relevant thread IKE certificate validity during renew on R81).

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

To provide an update: we have a script that will renew all the IKE certificates in a given management domain or MDS server.
It requires some code changes in the management that will be released in an upcoming JHF.
Integration has been done for R81.20 (PRJ-47019) and R81.20 (PRJ-47018), R81 is still in progress.
All of this will be in an SK, which will be released once the JHF including the necessary fixes are public.

Simon_Macpherso
Advisor

Please note the script was recently released. 

How to renew IKE certificates for VPN, Multi-Portal, and Identity Broker on all managed Security Gateways

https://support.checkpoint.com/results/sk/sk182070

 

Duane_Toler
Advisor

This is wonderful!  Thank you!

How will Smart-1 Cloud customers be handled?

0 Kudos
PhoneBoy
Admin
Admin

I assume Smart-1 Cloud customers will need to open a TAC case to have this done.

0 Kudos
Duane_Toler
Advisor

I read through the script from the SK article, and it's quite extensive (and impressive!).  I see R81.20 JHF 54 introduced a new command and I see lots of new API-based activities, some of which are already in place. I can see where they're going with this in the future... they're tracking towards having this whole process be server-side API enabled!  That'll be quite exciting and very nice.  It's not there yet, but it's not far away.  Once they sort out how to do the openssl pkcs12 elements, they'll have it done.

I bet they can do this a lot easier than they think they can.  Link CPM to the libcrypto pieces, add the shim code for PKCS12 ... assuming GPL agrees with that.  Might have an issue there.
Anyhoo... it looks good, I like where it's going; Hopefully they can get us there quickly and bug-free. 😆

0 Kudos
PhoneBoy
Admin
Admin

Here's what I believe are the relevant APIs coming in R82 that speaks to what you're saying 🙂

image.png

image.png

image.png

image.png

image.png

image.png

0 Kudos
Duane_Toler
Advisor

Oooo!!  Nice treat! Thanks 🙂

 

0 Kudos
PhoneBoy
Admin
Admin

If you've got the R82 EA installed in a lab, you can go to https://mgmt-ip/api_docs/ and select v2 to see all the details 🙂

0 Kudos
Duane_Toler
Advisor

Sadly, I missed out on the R82 Public EA earlier.  I'll be on it like white-on-rice-on-a-paper-plate-in-a-snow-storm when it's released tho!

I checked the Ansible Mgmt API module GitHub repo and looks like they have some of the R82 modules ready to go already. I also noticed in the new 6.0.0 Mgmt API Ansible modules, there's a vsx-provisioning-tool API ! \o/   Excellent to have the API and even better to have Ansible module parity with it on Day 1.

 

PhoneBoy
Admin
Admin

vsx-provisioning-tool will be directly callable via API, yes.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events