- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello,
With the maximum validity period of certificates becoming shorter all the time it is a challenge for large deployments to renew everything. Is there a known solution to automate this for the remote access solutions of Check Point? And maybe even the Gaia interface as well? (some of our customers even have an external wildcard certificate on their Gaia webinterface).
Things like certbot don't apply for the VPN solution I guess, or maybe via the API?
Thanks in advance,
Regards,
Erik
The script to do this was released a few months ago: https://support.checkpoint.com/results/sk/sk182070
If you're using the ICA, then in theory, the certificates should renew automatically.
For an external CA, I'm not aware of an easy way to automate this stuff as there aren't really APIs or CLI commands to do this that I'm aware of.
I see in API v1.8 there are certificate installation options for the platform portal and the usercheck page, but not for the mobile access portal (or I did not find it yet). Let's hope this will be added in the near future as well!
Regards,
Erik
Hi PhoneBoy,
I have question regarding the ICA renewal, is it any way to ICA will be automatically renewed ? eg. by installing new software/hot fix ?
NO - at least if you do an upgrade, not fresh install without db import 8) After Jumbo install, GAiA WebGUI may need a new exception for the self-signed cert in browser, but that is all...
See sk158096: How to renew an Internal Certificate Authority (ICA) certificate for on-purpose renewals - sk164255: SIC Certificate fails to renew automatically for issues with that!
We now do an automatic renewal of the ICA as of R81.10 JHF 95 (PRJ-44576, PMTR-90463).
I presume this will also get rolled into other JHF streams.
There must be something for this right?
Can't believe that we still need to do this time consuming job by hand every year again.
Hi, Did you find any solution on this problem.?
Hello,
i just had the same issue now, VPN from a remote GW just stopped.
Not Valid Before: Mon Nov 15 12:55:30 2021 Local Time
Not Valid After: Wed Nov 16 12:55:30 2022 Local Time
But iam not sure if VPN certificates really get renewed automatically?
Where in a guide/SK is this written?
Anyway, i have seen this too often i will open a case and ask TAC.
i will keep u posted!
Hi
I have the same question, I talked to my certificate provider, and they told my, that I should expect that the lifetime on certificate will go to 3 month or lower, so a automated way of doing it is a must.
I suspect we'll have a way to update this information via API in the future.
Having said that, I highly recommend approaching your Check Point SE with your precise requirements for this.
The future is NOW.
You are rather later with this.
Is there any planes to auto renew the internal certificates on the gateways they now only have a lifetime on 1 year, and are used with identity collector, vpn and more, and do a renew on +100 gateways takes time.
Last I heard, there was a plan to provide an automated mechanism to do this in the near future...
Starting from R81.10, all IKE certificates are valid only for 1 year by default.
If customer has many FWs used for RA or S2S, where IKE certificate must be valid, it will help if there is some automated way to renew defaultCert automatically (like SIC, InternalCA).
Hopefully this will get sorted. VPN certificate expiry has caused us pain.
And for one customer who uses SAML, this needs a proper certificate and so far LetsEncrypt isn't available so that's entailed a different manual process!
I keep track of the expire dates in our systems so we get alerted before it expires. Just make a note in a calendar or internal system it is not that difficult. Also when the certificate will expire soon Check Point will give alert at the policy push.
So instead of waiting for Check Point to get it 'sorted' I would recommend to check your own procedures.
The script we are planning to make available to manage IKE certificates has an "in progress" SK for the functionality (only visible for Check Point employees).
Unfortunately, I do not know the timeline for it, though it is expected to be available as part of R82 and backported to R81.x releases via JHF.
Any updates?
The script to do this was released a few months ago: https://support.checkpoint.com/results/sk/sk182070
Please can this functionality be brought to Infinity, we have a growing landscape of managed clients where it's pathetic that inter-site VPNs stop working when the certificate expires.
Currently, this requires a manual action (i.e. running the script), which I assume TAC can run for you if needed.
We are planning to make this process more automatic, which I assume will also be available in Smart-1 Cloud.
This is planned for early next year.
This sounds rather strange - 3 months or lower ? Then we better stay with the internal CA...
https://letsencrypt.org/docs/faq/
Our certificates are valid for 90 days. You can read about why here.
There is no way to adjust this, there are no exceptions. We recommend automatically renewing your certificates every 60 days.
https://letsencrypt.org/2015/11/09/why-90-days.html
Nov 9, 2015 • Josh Aas, ISRG Executive Director
We’re sometimes asked why we only offer certificates with ninety-day lifetimes. People who ask this are usually concerned that ninety days is too short and wish we would offer certificates lasting a year or more, like some other CAs do.
Ninety days is nothing new on the Web. According to Firefox Telemetry, 29% of TLS transactions use ninety-day certificates. That’s more than any other lifetime. From our perspective, there are two primary advantages to such short certificate lifetimes:
For these reasons, we do not offer certificates with lifetimes longer than ninety days. We realize that our service is young, and that automation is new to many subscribers, so we chose a lifetime that allows plenty of time for manual renewal if necessary. We recommend that subscribers renew every sixty days. Once automated renewal tools are widely deployed and working well, we may consider even shorter lifetimes.
the future was already before 2015, almost 10 years from now.
Hello Folks,
and what about all those third party certificates for all Multiportals, HTTPS Inspection (in & outbound)
is there a documented way to have an overview of them?
You cannot use the script to renew third party certificates, but it should show them.
Almost a year late and still no solution to batch renew certificates 😞 Or I'm I missing something ?
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
5 | |
3 | |
2 | |
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 02:00 PM (EDT)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - AMERAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY