Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

Checkpoint 790 Appliance - SSL VPN Certificate Renewal

I need to update an SSL VPN certificate on a Checkpoint 790 Appliance.

I have the pfx file to import generated from Entrust. 

I thought the import option would be able to update the existing certificates, but when importing "Certificate already exists" is returned.  

To remove the existing certificate, under VPN > Remote Access > Advanced I deselected the existing certificate (cant be deleted if the current certificate is selected). I then deleted the certificate from the table.

When I try to import the new certificate, it still returns "Certificate already installed". 

I was thinking it might be the existing Entrust intermediate certificate located under Certificates > Trusted CAs that might also need to be removed before I can import the new certificate. 

The import option does not seem to be able to automatically update the existing certificates. 

0 Kudos
8 Replies
the_rock
Legend
Legend

Can you send a screenshot of it please? I dont ever recall having issue with this in the past.

Andy

0 Kudos
Simon_Macpherso
Advisor

Screenshot 2023-08-28 121648.png

It seems the PFX in this instance doesn't contain the intermediate certificate - I removed the intermediate certificate from the Trusted CAs table and when trying to import the PFX it returned that the intermediate certificate for the import could not be found. So its not the existing intermediate certificate that is causing the issue.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Better contact TAC - there is some issue with certificate renewal on SMBs, currently a customer using 1480 experiences a similar problem.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

This was suggested by TAC:

1. Take a backup (Important!)

2. Delete trusted CAs
Remove the old certificate. (VPN -> Installed Certificates)
Go to VPN -> Trusted CAs , Delete your certificate.

3. While in expert mode go to '/pfrm2.0/config1/fw1/conf/' directory.
List all the certificates found under that directory by using the command:
[Expert@GW]# ls -ltr | grep crt
You will find a number of certificates that have characters as names [e.g.]:
-rw-r--r-- 1 root root 1050 Jun 27 18:42 c9720cf17d8ae1f993fe0b22.crt
-rw-r--r-- 1 root root 633 Jun 29 12:10 ccf7997d7404c47982732e29.crt
-rw-r--r-- 1 root root 734 Jun 29 12:10 e627755460d5431429e54b6e.crt
-rw-r--r-- 1 root root 645 Jun 29 12:10 f4270c849a7eaef38bef7989.crt
Delete these certificates.
Reboot the appliance and check again.

Please run the following command in expert mode and confirm the status of the convention blade.
#configload_Status

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Simon_Macpherso
Advisor

Thanks I haven't performed this procedure yet but the certificate expiry date was the 29th and users are still able to connect, suggesting the certificate was installed even though it didn't return a certificate successfully installed message. Oddly, the certificate also is not displayed in the installed certificates table. 

0 Kudos
PhoneBoy
Admin
Admin

See if you can find the relevant certificate (a .crt file) in one of /pfrm2.0/config1/fw1/conf/ or /pfrm2.0/config2/fw1/conf/
If it's there, I believe it will be safe to remove the file and it should resolve the issue.
If this doesn't resolve the issue, I suggest contacting the TAC. 

Simon_Macpherso
Advisor

There are /crt files in /pfrm2.0/config1/fw1/conf/ but the filenames appear encoded.

Are the .crt file names encoded? If so which encoding is used?

0 Kudos
PhoneBoy
Admin
Admin

Not exactly sure how the files are named.
In any case, you will have to review the contents of each file to find the relevant one to remove.
I believe you can use the openssl CLI command to see the contents of these files (though can’t immediately find the correct syntax).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events