Create a Post
Showing results for 
Search instead for 
Did you mean: 

how to renew internal CA certificate ?

Did anybody have an idea or procedure how to renew Internal CA certificates if its about to expire soon.

Followed sk158096 and with the given command can see only expiration date.


cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate

Any idea, how this needs to be renewed, lets see if its getting expired by July2021.

Please suggest.

0 Kudos
5 Replies

Let me check if this can be done via dashboard. If you open dashboard and go to objects -> servers -> trusted CA -> internal_CA, see if expiry date is the same, but I believe to renew it, you have to get it from a file.

0 Kudos
You will have to contact the TAC to confirm you have the appropriate environment and they will provide the necessary script to achieve this without having to reset SIC.


I opened a ticket last week and we had to do some prep work as not all devices were on the minimal required jumbo hotfix.

Once that was taken care we got a script. Doing a quick check of the script took 5 minutes. It looks like a solid piece of work. Finally we executed it this morning and it took less then 5 seconds.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>

Hello there!

I tested in lab enviroment (R80.40) this procedure for a customer.

  1. Dashboard:
    1. Remove Communities of all Gateways
    2. Remove IPSec Blade in Gateways
    3. Publish
    4. Reactive IPSec Blade in Gateways
    5. In GWs IPSec Properties REMOVE the certificate
    6. Acept and publish
    7. Close Dashboard
  2. In expert mode in Server Management
    1. fwm sic_reset
    2. cpconfig - Option 6
    3. cpstart
    4. cpridstart (only if is required)
  3. In dashboard
    1. in this point a new ICA must to be working, you can check in Servers, internal_ca
    2. Add removed vpn communities to each Gateways
    3. Renew SIC Connection to GWs


Of course this only would be recommended in Server Management with few connected Gateways.




Obviously if you reset the ICA, that will generate a new certificate with a new expiration date.
Most customers don't want to go through the pain of re-SICing all gateways.
This is why there's a procedure for renewing the ICA key.


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events