Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_KL_
Participant

how to renew internal CA certificate ?

Did anybody have an idea or procedure how to renew Internal CA certificates if its about to expire soon.

Followed sk158096 and with the given command can see only expiration date.

 

cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate

Any idea, how this needs to be renewed, lets see if its getting expired by July2021.

Please suggest.

0 Kudos
5 Replies
the_rock
Mentor
Mentor

Let me check if this can be done via dashboard. If you open dashboard and go to objects -> servers -> trusted CA -> internal_CA, see if expiry date is the same, but I believe to renew it, you have to get it from a file.

0 Kudos
PhoneBoy
Admin
Admin

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You will have to contact the TAC to confirm you have the appropriate environment and they will provide the necessary script to achieve this without having to reset SIC.

0 Kudos
Hugo_vd_Kooij
Advisor

I opened a ticket last week and we had to do some prep work as not all devices were on the minimal required jumbo hotfix.

Once that was taken care we got a script. Doing a quick check of the script took 5 minutes. It looks like a solid piece of work. Finally we executed it this morning and it took less then 5 seconds.

0 Kudos
WorkingDread
Explorer

Hello there!

I tested in lab enviroment (R80.40) this procedure for a customer.

  1. Dashboard:
    1. Remove Communities of all Gateways
    2. Remove IPSec Blade in Gateways
    3. Publish
    4. Reactive IPSec Blade in Gateways
    5. In GWs IPSec Properties REMOVE the certificate
    6. Acept and publish
    7. Close Dashboard
  2. In expert mode in Server Management
    1. fwm sic_reset
    2. cpconfig - Option 6
    3. cpstart
    4. cpridstart (only if is required)
  3. In dashboard
    1. in this point a new ICA must to be working, you can check in Servers, internal_ca
    2. Add removed vpn communities to each Gateways
    3. Renew SIC Connection to GWs

 

Of course this only would be recommended in Server Management with few connected Gateways.

 

 

0 Kudos
PhoneBoy
Admin
Admin

Obviously if you reset the ICA, that will generate a new certificate with a new expiration date.
Most customers don't want to go through the pain of re-SICing all gateways.
This is why there's a procedure for renewing the ICA key.

0 Kudos