- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Cant renew expiring certificate
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cant renew expiring certificate
Hi,
My VPN certificate on R81.20 Gateway expires soon and I went through the usual process of deleting the existing and creating a new one, however today I got hit with this message
I have not seen this before and cant find anyway round it. Found a similar post about using GuiDBedit, but that didnt work.
Any help greatly appreciated
Happy New Year
Wayne
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed it.
First took snapshot of SM VM (in case I bust it)
Used GuiDBedit and found entry for VPN refence in the FW object
Deleted it
Saved changes
Said a prayer
Opened Smart Console
VPN reference gone
Pushed policy for good measure
Still gone
Case closed
Thanks for all your help guys !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on the JHF level, you might need to reboot for the change to take effect as I believe this is a known issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I never delete and always use renew, have you tried that?
So instead of delete either add or renew?
You try it now to renew it under IPSec VPN correct?
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lesley,
The renew option has never been available for certs generated by external CA (i assumed this was the case)
I cannot renew and if i try ADD i cant use the same CN details
Cheers
Wayne
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah not self-signed.
What if you create a temp self signed cert and attach that, after that try to remove the old one.
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still no go
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you share a little bit larger screenshot? In which menu did you get this message?
Whan you changed this cert last time, this cert was used in clientless VPN too?
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Akos,
My larger images seem to get removed. I always do this under IPSecVPN and have never configured Clientless VPN
Cheers
Wayne
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To clarify this, so here:
You add the new one, then can't remove the old one?
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct, at the moment I have a cert installed from an EXT CA
When i try to remove (as renew greyed out), the error message appears
I have never seen this before
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had a try, I wanted to delete the cert which was issued by ICA
I got this error:
Maybe helps.
A
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Weird, just tried in my lab and though its part of 3 commuities, does not give that error.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure that if you have the temp cert active the old one is not configured in a different place.
Did you checked all the menu options in the firewall object itself? Like under VPN clients.
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Lesley,
Yes, i cannot see it selected anywhere else
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think we need some screenshots. Sometimes a feature is disabled and you need to enable it in order for renewal.
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We haven't talk about the version. What is current version?
I found this sk, but it is not relevant, R80.20 is not supported, and the error message is totally different.
https://support.checkpoint.com/results/sk/sk108064
Akos
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Saw that, but it did nothing
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe it is time to open a TAC case.
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes time for TAC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please keep us updated. 🙂
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe what its telling you to do is remove any references of that certificate currently, install policy and then delete option would work.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, I am pretty sure all refences have been removed.
Waiting for TAC
Cheers all !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed it.
First took snapshot of SM VM (in case I bust it)
Used GuiDBedit and found entry for VPN refence in the FW object
Deleted it
Saved changes
Said a prayer
Opened Smart Console
VPN reference gone
Pushed policy for good measure
Still gone
Case closed
Thanks for all your help guys !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks to share with us!
\m/_(>_<)_\m/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
I seem to have now developed another issue, similare to post https://community.checkpoint.com/t5/Remote-Access-VPN/Remove-Access-VPN-Gateway-presenting-wrong-cer...
With the faulty Ext CA gone, I got a new one and it all installed ok, however when I inspect the SSL cert the FW presents the default one and not the Ext CA.
Very weird
Any ideas?
Thanks
Wayne
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on the JHF level, you might need to reboot for the change to take effect as I believe this is a known issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried a CPSTOP and CPSTART and that did the trick.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That should work also.
