Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ErikV
Participant
Jump to solution

Automatic certificate renewal

Hello,

 

With the maximum validity period of certificates becoming shorter all the time it is a challenge for large deployments to renew everything. Is there a known solution to automate this for the remote access solutions of Check Point? And maybe even the Gaia interface as well? (some of our customers even have an external wildcard certificate on their Gaia webinterface). 

Things like certbot don't apply for the VPN solution I guess, or maybe via the API?

Thanks in advance,

Regards,

Erik

 

(2)
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The script to do this was released a few months ago: https://support.checkpoint.com/results/sk/sk182070 

View solution in original post

(1)
23 Replies
PhoneBoy
Admin
Admin

If you're using the ICA, then in theory, the certificates should renew automatically.
For an external CA, I'm not aware of an easy way to automate this stuff as there aren't really APIs or CLI commands to do this that I'm aware of.

0 Kudos
ErikV
Participant

I see in API v1.8 there are certificate installation options for the platform portal and the usercheck page, but not for the mobile access portal (or I did not find it yet). Let's hope this will be added in the near future as well!

Regards,

Erik

 

0 Kudos
AS2021
Contributor

Hi PhoneBoy,
I have question regarding the ICA renewal, is it any way to ICA will be automatically renewed ? eg. by installing new software/hot fix ?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

NO - at least if you do an upgrade, not fresh install without db import 😎 After Jumbo install, GAiA WebGUI may need a new exception for the self-signed cert in browser, but that is all...

See sk158096: How to renew an Internal Certificate Authority (ICA) certificate for on-purpose renewals - sk164255: SIC Certificate fails to renew automatically for issues with that!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

We now do an automatic renewal of the ICA as of R81.10 JHF 95 (PRJ-44576, PMTR-90463).
I presume this will also get rolled into other JHF streams.

0 Kudos
checkfreehs
Explorer

There must be something for this right?

Can't believe that we still need to do this time consuming job by hand every year again.

0 Kudos
Baasanjargal_Ts
Advisor
Advisor

Hi, Did you find any solution on this problem.?

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello, 

i just had the same issue now, VPN from a remote GW just stopped.


Not Valid Before: Mon Nov 15 12:55:30 2021 Local Time
Not Valid After:  Wed Nov 16 12:55:30 2022 Local Time


Unbenannt.PNG

 

 

 


But iam not sure if VPN certificates really get renewed automatically?
Where in a guide/SK is this written?
Anyway, i have seen this too often i will open a case and ask TAC.

i will keep u posted!

 

0 Kudos
Soren_Kristense
Contributor

Hi

I have the same question, I talked to my certificate provider, and they told my, that I should expect that the lifetime on certificate will go to 3 month or lower, so a automated way of doing it is a must.

0 Kudos
PhoneBoy
Admin
Admin

I suspect we'll have a way to update this information via API in the future. 
Having said that, I highly recommend approaching your Check Point SE with your precise requirements for this.

0 Kudos
checkfreehs
Explorer

The future is NOW.

You are rather later with this.

0 Kudos
Soren_Kristense
Contributor

Is there any planes to auto renew the internal certificates on the gateways they now only have a lifetime on 1 year, and are used with identity collector, vpn and more, and do a renew on +100 gateways takes time.

0 Kudos
PhoneBoy
Admin
Admin

Last I heard, there was a plan to provide an automated mechanism to do this in the near future...

0 Kudos
JozkoMrkvicka
Authority
Authority

Starting from R81.10, all IKE certificates are valid only for 1 year by default.

If customer has many FWs used for RA or S2S, where IKE certificate must be valid, it will help if there is some automated way to renew defaultCert automatically (like SIC, InternalCA).

Kind regards,
Jozko Mrkvicka
0 Kudos
stallwoodj
Collaborator
Collaborator

Hopefully this will get sorted. VPN certificate expiry has caused us pain.

And for one customer who uses SAML, this needs a proper certificate and so far LetsEncrypt isn't available so that's entailed a different manual process!

0 Kudos
Lesley
Leader Leader
Leader

I keep track of the expire dates in our systems so we get alerted before it expires. Just make a note in a calendar or internal system it is not that difficult. Also when the certificate will expire soon Check Point will give alert at the policy push. 

So instead of waiting for Check Point to get it 'sorted' I would recommend to check your own procedures. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
PhoneBoy
Admin
Admin

The script we are planning to make available to manage IKE certificates has an "in progress" SK for the functionality (only visible for Check Point employees).
Unfortunately, I do not know the timeline for it, though it is expected to be available as part of R82 and backported to R81.x releases via JHF.

MiniNinja
Collaborator

Any updates?

0 Kudos
PhoneBoy
Admin
Admin

The script to do this was released a few months ago: https://support.checkpoint.com/results/sk/sk182070 

(1)
G_W_Albrecht
Legend Legend
Legend

This sounds rather strange - 3 months or lower ? Then we better stay with the internal CA...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
checkfreehs
Explorer

https://letsencrypt.org/docs/faq/

What is the lifetime for Let’s Encrypt certificates? For how long are they valid?

Our certificates are valid for 90 days. You can read about why here.

There is no way to adjust this, there are no exceptions. We recommend automatically renewing your certificates every 60 days.

https://letsencrypt.org/2015/11/09/why-90-days.html

Why ninety-day lifetimes for certificates?

Nov 9, 2015 • Josh Aas, ISRG Executive Director

We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.

Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime. From our perspective, there are two primary advantages to such short certificate lifetimes:

  1. They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
  2. They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.

For these reasons, we do not offer certificates with lifetimes longer than ninety days. We realize that our service is young, and that automation is new to many subscribers, so we chose a lifetime that allows plenty of time for manual renewal if necessary. We recommend that subscribers renew every sixty days. Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.

 

 

the future was already before 2015, almost 10 years from now.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello Folks, 

and what about all those third party certificates for all Multiportals, HTTPS Inspection (in & outbound) 
is there a documented way to have an overview of them?


0 Kudos
PhoneBoy
Admin
Admin

You cannot use the script to renew third party certificates, but it should show them.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events