This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
konecnyl
Participant
‎2025-11-04 07:57 AM

Replacing subordinate CA certificate with same DN – will it affect existing VPN/SAML certificates?

Hi all,

I’d like to double-check the correct procedure for handling a subordinate CA renewal in Check Point management.

Our internal PKI admin has reissued a subordinate CA (*_sub_ca) certificate with the same Distinguished Name (CN=xxx_sub_ca, O=..., C=CZ) but a new validity period (the old one is still valid until Jan 2026).

In our environment:

  • The subordinate CA (*_sub_ca) and the root CA are both imported under Trusted CA Servers and used for VPN certificates (SAML and SSL VPN, certificate-based authentication).

  • The new subordinate CA certificate cannot be imported — SmartConsole reports:

    Error: Certificate with the same Distinguished Name already installed for another CA: dpp_sub_ca. Installation failed.

  • On Cisco ISE, both CAs can coexist, but Check Point blocks this because of the identical DN.

Now, some of our mobile clients (Capsule VPN on Android) already received new user certificates signed by the new subordinate CA, and they can’t authenticate — because the gateway doesn’t trust the new CA yet.

Questions:

  1. Can I safely perform a Replace Certificate operation on the existing *_sub_ca object (keeping the same DN), so that both old and new client certificates remain trusted?

  2. Will this “replace” operation preserve all existing trust relationships — e.g., issued VPN/SAML certificates that are still valid under the old CA?

  3. Is there any best practice for temporarily supporting both old and new subordinate CA certificates (same DN) in parallel?

We are running:

  • Check Point R82 Management and Gateways

  • Capsule VPN on Android/iOS (certificate-based auth)

  • The old and new subordinate CA have identical DN but different serial numbers and validity ranges.

Any official confirmation or experience from the field would be appreciated before we proceed with the replacement.

Thanks,
Lukáš

0 Kudos
1 Reply
the_rock
MVP Platinum
MVP Platinum
‎2025-11-04 10:17 AM

Hey Lukas,

This is way I understand it...

If you right-click the existing subordinate CA object and choose Replace Certificate, then:

  1. The old CA certificate data (public key, validity, serial) will be replaced with the new one.

  2. Any trust relationships that rely on that CA object (e.g. VPN certificate validation, SAML trust, Mobile Access portal authentication) will now trust certificates chained to the new CA’s key.

  3. However — Check Point will no longer recognize certificates that were signed by the previous CA key (i.e., old subordinate CA), even if they’re still valid and not expired.

That’s because the CA’s public key changes, and Check Point validates certificates by chaining to a specific key pair, not just by DN.

So in short:

-New client certificates signed by the new subordinate CA → will authenticate fine.

-Old certificates signed by the old subordinate CA (same DN, old key) → will fail validation once the replacement is applied.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events