This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
sorinstf
Contributor
‎2023-10-30 07:44 AM
Jump to solution

internal root ca expiring on R81.20

Hello, 

I've upgraded MDS from R80.40 to R81.20. As I have not installed JHA Take 26, how do I manually renew the ICA for this domain?

for DOMAIN in $(${MDSVERUTIL} AllCMAs); do mdsenv ${DOMAIN}; echo -n "${CustomerName} ---> " ; cpopenssl pkcs12 -in ${FWDIR}/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate ; done | sort --key=6

DMS1_main_emea---> notAfter=Feb23 06:23:09 2024 GMT

.....................

[Expert@mds:0]# cpinfo -y all

This is Check Point CPinfo Build 914000231 for GAIA
[MGMT]
No hotfixes..
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[FW1]
HOTFIX_NGM_DOCTOR_AUTOUPDATE
HOTFIX_VCE_R81_20_AUTOUPDATE
HOTFIX_WEBCONSOLE_AUTOUPDATE
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE
HOTFIX_GOT_MGMT_AUTOUPDATE
HOTFIX_GOT_TPCONF_MGMT_AUTOUPDATE

FW1 build number:
This is Check Point Security Management Server R81.20 - Build 440
This is Check Point's software version R81.20 - Build 703

0 Kudos
1 Solution

Accepted Solutions
5 Replies
PhoneBoy
Admin
Admin
‎2023-11-01 11:19 AM
Jump to solution

https://support.checkpoint.com/results/sk/sk158096 

(2)
sorinstf
Contributor
‎2023-11-01 11:15 PM
In response to PhoneBoy
Jump to solution

Thanks for the Sk. 

I've just upgraded to JHA Take 26 and now this has also been fixed. Very useful feature release. 

0 Kudos
Daniel_Kavan
Advisor
Wednesday
In response to PhoneBoy
Jump to solution

Hi, I have a follow up question on sk158096.   

Here’s the confusing part, under Procedure – If the Internal CA certificate is still valid:

Important Note: You do not need to do steps 1 and 2 of this procedure if you have installed the Jumbo Hotfixes below. Before the release of the Jumbo Hotfix Takes, the Internal CA certificate required a manual renewal process. With these Takes, it will be automatically renewed one year before its expiration date:

But then when you look at the instructions there are only three major steps.  I assume when they say do steps one and 2 they mean start with #3 of the SUBSTEPS under #2 major.  If I had to guess I need to start with substep #4 since we don’t have a multi-domain server.

 

Ok, after posting this  and re-rereading ...  I see it will be Automatically renewed at one year.   Cool.  I'll wait until then; I'll just have a bunch of certs to renew.

 

0 Kudos
the_rock
Legend
Legend
Wednesday
In response to Daniel_Kavan
Jump to solution

You got it...so say in my case, since my lab is R81.20 jumbo 70, I would not need to worry about renewal process step 1 and 2. Who knows what world will look like in 2038 😂😂

Andy

[Expert@CP-MANAGEMENT:0]# cpopenssl pkcs12 -in $FWDIR/conf/InternalCA.p12 -nokeys -nomacver -passin pass: 2>/dev/null | cpopenssl x509 -noout -enddate
notAfter=Jan 19 03:14:07 2038 GMT
[Expert@CP-MANAGEMENT:0]#

0 Kudos
the_rock
Legend
Legend
‎2023-11-01 07:28 PM
Jump to solution

Definitely sk Phoneboy gave is what you need to follow.

Regards,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events