- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: VPN Certificate renewal
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VPN Certificate renewal
Hi All,
I'm wondering if anyone has a creative way to monitor/manage VPN and SIC certificate renewal. I manage a large environment and most of the equipment outlives its 5 year life cycle which is the default length of the IKE certificates. I have been bitten by the certificate expiration and VPN tunnel drops causing an outage. I have developed a process to run the cpca_client lscert -kind IKE and comb the data for expirations but its currently a manual process. Wondering if we can use the mgmt_cli to do something more automated. Any ideas?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, if you're using the ICA, certificates should auto-renew on their own.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To provide an update: we have a script that will renew all the IKE certificates in a given management domain or MDS server.
It requires some code changes in the management that will be released in an upcoming JHF.
Integration has been done for R81.20 (PRJ-47019) and R81.20 (PRJ-47018), R81 is still in progress.
All of this will be in an SK, which will be released once the JHF including the necessary fixes are public.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Of course, if you're using the ICA, certificates should auto-renew on their own.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sorry, i just wanted to click on reply and clocked on solution by mistake.
@PhoneBoy: I have a question regarding VPN certificate renewal.
You wrote that when using ICA, IKE certificates should be renewed automatically. So far so good.
My question is: When is this performed? Directly after the time of expiry? Or earlier?
I have a customer here with ~300 SMB appliances (1100 series) where round about 150 certificates will expire in the next weeks.
All gateways are managed by SmartProvisioning except central gateway which is not a smb of course.
So for them it's really important to know this exactly. Where can we get a proof explanation of that?
Will open a SR in addition to this reply as soon as i have necessary rights in uc for that customer account.
Cheers
Vincent
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe it starts the auto-renewal process 60 days before.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this case, the next certificates will expire at 12th of July. So here something is going wrong, right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tnx, sr is created
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like you, I've been seeing IKE certificates [SmartCenter-managed] not getting auto-renewed like they should. Not sure what's failing, but something certainly is amiss. This seems to be some R80-specific issue; I certainly don't recall this error with R77 and earlier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. I think it's not relevant if it's SmartProvisioning or SmartCenter as it's the same internal ca.
Opened a high prio sr 6 hours ago and had to press escalate to get the first update "is this internal or external ca" 😁
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now i received mail from tac:
I wanted to update you that this option is not available and the certificates on the GW will need to be renewed manually.
As we are talking about round about 250 certificates, I am not really amused.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
well, someone from your team will be very happy to do this monkey job...
But at least, he/she will get a lot of overtimes 😄
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's particularly disturbing, as it worked in R77 and earlier. Plus it also defeats the purpose of a centralized certificate and key management server.
I suspect someone at TAC is either A) wrong, or B) not realizing they have a bug. Might could contact your SE and escalate (annoying, I know). I say it's a bug.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jozko Mrkvicka
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now another case of customer's gateway VPN certificates expiring. My customer is already asking about switching to Meraki. They already did it for some smaller sites. If Check Point isn't going to fix auto-renewal of VPN certificates, you'll be losing more customers. What's the point of the FW1_ica_pull and FW1_ica_push services if certificates aren't being auto-renewed? I never had to do this manually in R77 and lower.
The next time my customer(s) mention "Meraki" or "Firepower", I'm not going to stop them. Esp. as I'm CCNP R/S, CCDP, and CCNP Security, too.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Before getting absolute certainty, my customer has already revoked all certs manually and nobody cares what will be in five years.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use this as a cron job from the management server:
1 1 * * * . /opt/CPshared/5.0/tmp/.CPprofile.sh; cpca_client lscert -stat Valid | tail -n +4 | awk 'BEGIN {RS="\n\n"; FS="\n";} {print $1,$2,$3;}' | logger -t lscert
And then here is a nice splunk alert:
index=gaia process=lscert
| rex field=_raw "lscert:\s+Subject\s+=\s+(?<dn>.*)\s+Status\s+=.*Not_After:\s+(?<expiry>.*)"
| eval expiry=strptime(expiry, "%a %B %d %H:%M:%S %Y")
| dedup dn,Kind
| where expiry < relative_time(_time, "+90d")
| eval days_left=floor((expiry-now())/86400)
| eval expiry=strftime(expiry,"%Y-%m-%dT%H:%M:%S%z")
| table _time,dn,Kind,expiry,days_left
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PhoneBoy ,
Regarding that part you mentionned:
@PhoneBoy wrote:
For VPN certificates, if we didn't support it, you wouldn't have an SK like: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
I believe it starts the auto-renewal process 60 days before.
How does the renewal process actually happen? You will see an alert on SmartConsole starting 60days before and it will auto-renew at the next policy push is it?
I had a case recently of an SMB gateway (R81.10) were the VPN certificate did not auto-renew and expired after 1year so I am wondering. I got a notification about the issue when I pushed a policy again.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One thing that is not auto-renewed is the ICA itself.
That, for sure, has to be done manually.
https://support.checkpoint.com/results/sk/sk158096
There's also an SK that talks about manually renewing the gateway's VPN certificate: https://support.checkpoint.com/results/sk/sk178304
At least in R81.20, it should give you a warning about the need for this.
Can't find documentation that this certificate is auto-renewed.
The only place that explicitly mentions renewal of certificates is for users to authenticate to the VPN.
That has an SK that discusses debugging the process: https://support.checkpoint.com/results/sk/sk114952
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There seems to be confusion on the auto renewal of VPN site to site certs. Seem to recall R77.30 had the ability to auto renew but not 100% sure of that.
I performed SK170558 to see how many years IKE certs could be extended and could only get 3 years.
Doing SK178304 manually for several hundred Gateways will be very painful. Anyone have knowledge of a script that could do this?
Also would like to know if R77.30 had this ability why would Check Point not include this in a newer version.
But for the ICA looks like this will now auto renew? Take 26 R81.20
PRJ-44577, | Internal CA | NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date. |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot R81.20 added the ability to auto-renew the ICA.
However, that doesn't help with the VPN certificates for gateways.
The actions required to renew the VPN certificates don't currently have API support and don't believe they can be scripted.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
so to summarize, there is no way to automate the S2S IPsec VPN certificate on full Gaia platform? If you have one hundred S2S locations, that mean that all of the locations have to be renewed manually...every year. I think that I speak for the whole community when I say that "autorenew IPsec cert" should be at least an enable/disable feature.
Br
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all
any update on auto-renewal VPN Certificates feature?
any API Script?
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From what I recall the autorenewal should work on most recent versions that are on the latest GA JHF. In the JHF release notes you will find some references into which things were fixed in which release.
If you still have issues after the fact not listed in Secure Knowledge I strongly recommend a TAC case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
autorenewal in latest JHF is related to ICA Root CA not certificates for vpn, multiportal etc. from what i know
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are getting ready to order several hundred SMBs for site to site VPN back to our head end Check Point GWs.
Even if we expand the Internal certs on our SMS from 1 year to 3 years, Are We going to have to manually renew our VPN certs at 3 years?
I always thought this VPN auto renewal worked in previous version (Pre-R80) but I cannot seem to find anything stating this, other than this.
R81.10 Take 95
NEW: Previously, the Internal CA certificate required manual renewal process. Now it will be automatically renewed one year before its expiration date.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's what i said
Pay attention with certs longer than 1yr, you can face problem like this https://support.checkpoint.com/results/sk/sk180644
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Did not realize this (sk180644). And I can't see us renewing hundreds of these VPNs on a yearly basis.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We plan on releasing a mechanism to do a mass renew of certificates in the coming weeks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's GREAT news!!. Thanks very much for the update.
-pat
![](/skins/images/AB448BCC84439713A9D8F01A2EF46C82/responsive_peak/images/icon_anonymous_message.png)