Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fiqri_kurniawan
Participant

Internal Certificate User VPN CAPI Automatically Renewal

Jump to solution

Dear All,

May we always be given health.

I use the Internal certificate in VPN Client Environment. For the default expired user certificate is 2 years. For now, we want to know, if the user certificate has been expired, it will be automatically renewal?

Because, I see the SK in the configuration tab in : https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_RemoteAccessVPN_AdminGuid...

Please go to the "To configure automatic certificate renewal"

Or maybe some of you all have experienced that the user certificate will expired, does it automatically renew or do you have to generate a new key?

 

Thanks and Regads,

Fiqriardhi Kurniawan

0 Kudos
1 Solution

Accepted Solutions
Tobias_Moritz
Advisor

If you enable automatic renewal the way the guide you linked to shows, it will work.

I saw it working in multiple environments.

However, there is one caveat:

The renewal is only done when the client is connecting to VPN.

Assuming you have configured renewal 60 days before expiry:

Scenario 1:

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 60 days.

Now cert will expire in 30 days. Clients connects. Cert is renewed during this process.

Client does not use VPN for the next 40 days.

Old cert was expired 10 days ago, but new cert is available on the client. Client connects using the new cert automatically.

 

Scenario 2:

You have configured renewal 60 days before expiry.

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 100 days.

Now cert was expired 10 days ago. Client tries to connect and fails because cert is not valid anymore. No renewal possible anymore.

 

Conclusion: Tune the "renewal in xx days before expiry" option according to your needs.

View solution in original post

5 Replies
Tobias_Moritz
Advisor

If you enable automatic renewal the way the guide you linked to shows, it will work.

I saw it working in multiple environments.

However, there is one caveat:

The renewal is only done when the client is connecting to VPN.

Assuming you have configured renewal 60 days before expiry:

Scenario 1:

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 60 days.

Now cert will expire in 30 days. Clients connects. Cert is renewed during this process.

Client does not use VPN for the next 40 days.

Old cert was expired 10 days ago, but new cert is available on the client. Client connects using the new cert automatically.

 

Scenario 2:

You have configured renewal 60 days before expiry.

Cert will expire in 90 days. Client connects. Cert is not renewed.

Client does not use VPN for the next 100 days.

Now cert was expired 10 days ago. Client tries to connect and fails because cert is not valid anymore. No renewal possible anymore.

 

Conclusion: Tune the "renewal in xx days before expiry" option according to your needs.

View solution in original post

Fiqri_kurniawan
Participant

Hello Tobias_Moritz,

Thank you for giving a good response.Okay, I have started to understand your parable.
Most of my customers always connect every day. So maybe I can focus on Scenario 1.

But there is one thing I want to make sure. The question is, if the user expires in the next 90 days, and the automatic renewal time is set at 60 days, when there are only 5 days left from the expiration time they try to connect, of which 5 days are still included in the 60 days automatic renewal part. That means automatic renewal is still possible, right?

Or the user must really try connect D-60 before the certificate expires?

 

Thanks

0 Kudos
Fiqri_kurniawan
Participant

In my understanding, the D-60 user doesn't necessarily have to connect for automatic renewal. As long as it is still in the pre-expiry stage, it will continue to automatic renewal.

0 Kudos
Tobias_Moritz
Advisor

When a user is connecting with a cert which expiration date is within the renewal period, it is renewed. No matter how many days left, as soon its in the period.

Also please make sure not to mix up user expiration with certificate expiration. An expired user account cannot connect to VPN even if cert is not expired and the other way around.

Cert is renewed automatically. User expiration date has to modified manually.

One additional note for users who connect their VPN over restricted hotspots (hotel, airport, ...):

While for the VPN functionality of Endpoint Security VPN tcp/443 is enough (and having udp/4500 available makes it better), for automatic cert renewal to work you also need tcp/18264.

On Check Point gateway side, an implied rule makes sure this is working. However when your users are on restricted hotspots where this port is blocked, cert renewal will not work for them. Same goes for initial cert rollout with enrollment key.

0 Kudos
Fiqri_kurniawan
Participant

Hallo Tobias,

Thank you for your explanation. Your explanation convinced me that the configuration will work as it should.

Yes, I agree with you about the difference between an expired user object and an expired user certificate.

Thank you. Hope this will help others.

 

Regards,

Fiqriardhi Kurniawan

0 Kudos