Checkpoint 790 Appliance - SSL VPN Certificate Ren...

Simon_Macpherso · ‎2023-08-25

I need to update an SSL VPN certificate on a Checkpoint 790 Appliance.

I have the pfx file to import generated from Entrust.

I thought the import option would be able to update the existing certificates, but when importing "Certificate already exists" is returned.

To remove the existing certificate, under VPN > Remote Access > Advanced I deselected the existing certificate (cant be deleted if the current certificate is selected). I then deleted the certificate from the table.

When I try to import the new certificate, it still returns "Certificate already installed".

I was thinking it might be the existing Entrust intermediate certificate located under Certificates > Trusted CAs that might also need to be removed before I can import the new certificate.

The import option does not seem to be able to automatically update the existing certificates.

the_rock · ‎2023-08-25

Can you send a screenshot of it please? I dont ever recall having issue with this in the past.

Andy

Simon_Macpherso · ‎2023-08-27

It seems the PFX in this instance doesn't contain the intermediate certificate - I removed the intermediate certificate from the Trusted CAs table and when trying to import the PFX it returned that the intermediate certificate for the import could not be found. So its not the existing intermediate certificate that is causing the issue.

G_W_Albrecht · ‎2023-08-27

Better contact TAC - there is some issue with certificate renewal on SMBs, currently a customer using 1480 experiences a similar problem.

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2023-08-28

This was suggested by TAC:

1. Take a backup (Important!)

2. Delete trusted CAs
Remove the old certificate. (VPN -> Installed Certificates)
Go to VPN -> Trusted CAs , Delete your certificate.

3. While in expert mode go to '/pfrm2.0/config1/fw1/conf/' directory.
List all the certificates found under that directory by using the command:
[Expert@GW]# ls -ltr | grep crt
You will find a number of certificates that have characters as names [e.g.]:
-rw-r--r-- 1 root root 1050 Jun 27 18:42 c9720cf17d8ae1f993fe0b22.crt
-rw-r--r-- 1 root root 633 Jun 29 12:10 ccf7997d7404c47982732e29.crt
-rw-r--r-- 1 root root 734 Jun 29 12:10 e627755460d5431429e54b6e.crt
-rw-r--r-- 1 root root 645 Jun 29 12:10 f4270c849a7eaef38bef7989.crt
Delete these certificates.
Reboot the appliance and check again.

Please run the following command in expert mode and confirm the status of the convention blade.
#configload_Status

CCSE / CCTE / CCME / CCSM Elite / SMB Specialist

Simon_Macpherso · ‎2023-08-30

Thanks I haven't performed this procedure yet but the certificate expiry date was the 29th and users are still able to connect, suggesting the certificate was installed even though it didn't return a certificate successfully installed message. Oddly, the certificate also is not displayed in the installed certificates table.

PhoneBoy · ‎2023-08-25

See if you can find the relevant certificate (a .crt file) in one of /pfrm2.0/config1/fw1/conf/ or /pfrm2.0/config2/fw1/conf/
If it's there, I believe it will be safe to remove the file and it should resolve the issue.
If this doesn't resolve the issue, I suggest contacting the TAC.

Simon_Macpherso · ‎2023-08-27

There are /crt files in /pfrm2.0/config1/fw1/conf/ but the filenames appear encoded.

Are the .crt file names encoded? If so which encoding is used?

PhoneBoy · ‎2023-08-28

Not exactly sure how the files are named.
In any case, you will have to review the contents of each file to find the relevant one to remove.
I believe you can use the openssl CLI command to see the contents of these files (though can’t immediately find the correct syntax).

Are you a member of CheckMates?

Checkpoint 790 Appliance - SSL VPN Certificate Renewal