Re: Reinitialize the Expired VPN Certificate

Soroosh

Hi everyone,

Recently I have a problem with reinitializing the VPN Certificate on SMB Gateways. on a cloud managed (infinity portal) SMBs 1570, 1535, 1530, and so on with firmware R81.10.10 (996002945), and R81.10.15 (996003913) the VPN certificate is expired, and as it is connected to the SMP, I cannot reinitialize the internal certificate correctly. every time I tried, I got this error: "Failed to reinitialize certificates".
The new certificate is there, but it is not healthy, and the VPN is not working.
A Professional once told me that certificates on Cload-managed SMBs have to be managed only through SMP. I have done that, and the certificate is on the gateway, but not as a VPN certificate, as a cloud service provider certificate. At this point, the only way I can renew the certificate correctly is to disconnect the gateway from the SMP, renew the certificate, and reconnect it. But this shouldn't be the right way! Its not a solution, its just a workaround!
Has anyone any solution?
Thanks in advance.

the_rock

That seems like a pretty serious issue. I would call TAC and get remote session going to fix it.

Andy

PhoneBoy

TAC case is probably best here: https://help.checkpoint.com

Ted_Serreyn

I have a long standing TAC case open on VPN certificate problems on the SMBs. It's really odd that we are still seeing issues with certificates on these (or any) devices.

In my case installing a .p12 certificate bundle for vpn.domain.com on the device, and renewing it had problems. It can be re-done (remove everything, reboot box, and re-install) but this really should NOT be required IMHO.

Of course then when the certificate is actually installed and functioning, the VPN sometimes suddenly fails to see it and stops using the certificate for VPNs causing them to fail.

I have had this issue on newer firmware R81.10.10, R81.10.15, and has finally reached a threshold of 30% failures with one of my clients.

G_W_Albrecht

https://support.checkpoint.com/results/sk/sk180117

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Ted_Serreyn

I am aware o this SK, and it is not applicable in my case as this SK was already resolved in my environment.

G_W_Albrecht

Our customers issue was resolved by the following procedure:

- In Expert mode, run:
pt internalCertificate

- Look for the Cloud Services certificate (it should have a hashed name, e.g., 34a823sda183f1g4h16.crt).

- Note the ID number associated with it.

- Remove the certificate from the database:
sqlcmd “delete from internalCertificate where id=xxxx” (Replace xxxx with the actual ID number.)

- Reinitialize certificates

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht

We have a final statement from CP TAC:

We reviewed the internal VPN Advanced settings configuration and noticed that all gateways were set to use the last installed certificate for VPN connections.

Since the Cloud certificate renews itself automatically, it will always be selected, ensuring that remote access continues to work even if the VPN certificate has expired.

It's important to note that if you have already reinitialized the certificates, the VPN certificate will take priority.
Since you encountered an error during this process, it may have impacted the certificate installation, making the VPN certificate the latest installed one. This could potentially affect remote access connections.

Given this, we strongly recommend leaving the VPN certificate expired if your gateways are connected to SMP.

However, if you experience any VPN issues where the VPN certificate has expired and the SMP portal certificate is the last installed certificate, please let CP TAC know, and we will investigate further.

At this time, it appears that everything is functioning as expected.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Reinitialize the Expired VPN Certificate