Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Shover
Explorer

VPN Certificate renewal

Jump to solution

Hi All,

I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal.  I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates.  I have been bitten by the certificate expiration and VPN tunnel drops causing an outage.  I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process.  Wondering if we can use the mgmt_cli to do something more automated.  Any ideas?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
You can call that specific command using the run-script API but beyond that, there aren't any APIS for this.
Of course, if you're using the ICA, certificates should auto-renew on their own.

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin
You can call that specific command using the run-script API but beyond that, there aren't any APIS for this.
Of course, if you're using the ICA, certificates should auto-renew on their own.

View solution in original post

0 Kudos
Vincent_Bacher
Advisor

I am sorry, i just wanted to click on reply and clocked on solution by mistake.

@PhoneBoy: I have a question regarding VPN certificate renewal.

You wrote that when using ICA, IKE certificates should be renewed automatically. So far so good.
My question is: When is this performed? Directly after the time of expiry? Or earlier?

I have a customer here with ~300 SMB appliances (1100 series) where round about 150 certificates will expire in the next weeks.
All gateways are managed by SmartProvisioning except central gateway which is not a smb of course.

So for them it's really important to know this exactly. Where can we get a proof explanation of that?

Will open a SR in addition to this reply as soon as i have necessary rights in uc for that customer account.

Cheers

Vincent

and now to something completely different
0 Kudos
PhoneBoy
Admin
Admin
For SIC in particular, it looks like that does not auto-renew on SMB per: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe it starts the auto-renewal process 60 days before.
0 Kudos
Vincent_Bacher
Advisor

In this case, the next certificates will expire at 12th of July. So here something is going wrong,  right? 

and now to something completely different
0 Kudos
PhoneBoy
Admin
Admin
Agreed and it might be good to get the TAC involved.
0 Kudos
Vincent_Bacher
Advisor

tnx, sr is created

and now to something completely different
0 Kudos
Duane_Toler
Contributor

Like you, I've been seeing IKE certificates [SmartCenter-managed] not getting auto-renewed like they should.  Not sure what's failing, but something certainly is amiss.  This seems to be some R80-specific issue; I certainly don't recall this error with R77 and earlier. 

0 Kudos
Vincent_Bacher
Advisor

Interesting. I think it's not relevant if it's SmartProvisioning or SmartCenter as it's the same internal ca.

Opened a high prio sr 6 hours ago and had to press escalate to get the first update "is this internal or external ca" 😁

and now to something completely different
0 Kudos
Vincent_Bacher
Advisor

Now i received mail from tac:

I wanted to update you that this option is not available and the certificates on the GW will need to be renewed manually.

As we are talking about round about 250 certificates, I am not really amused.

and now to something completely different
0 Kudos
JozkoMrkvicka
Leader
Leader

well, someone from your team will be very happy to do this monkey job...

But at least, he/she will get a lot of overtimes 😄

Kind regards,
Jozko Mrkvicka
0 Kudos
Vincent_Bacher
Advisor
In our case customer will have to do it. Would be bit expensive paying for that nonsense
and now to something completely different
0 Kudos
Duane_Toler
Contributor

That's particularly disturbing, as it worked in R77 and earlier.  Plus it also defeats the purpose of a centralized certificate and key management server.

 

I suspect someone at TAC is either A) wrong, or B) not realizing they have a bug.  Might could contact your SE and escalate (annoying, I know).  I say it's a bug.

 

0 Kudos
JozkoMrkvicka
Leader
Leader
There are dozens of features which were available in R77, but are missing in R80. In most of cases, you are asked to create RFE...
Kind regards,
Jozko Mrkvicka
0 Kudos
Vincent_Bacher
Advisor
To be honest, I agree. But.
Before getting absolute certainty, my customer has already revoked all certs manually and nobody cares what will be in five years.
and now to something completely different
0 Kudos