This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GSallin
Employee
Employee
‎2023-02-21 06:48 AM
Jump to solution

Migrate VPN Certificate

I have a question.

My customer is currently using a virtual GW as VPN GW, the VPN users have to authenticate themselves with a certificate. 

The customer wants to replace his GW with a new one (new release), is it possible to migrate the certificate from the old GW to the the new one?

Thank you

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-02-21 07:16 AM
Jump to solution

In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.

More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.

View solution in original post

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend
‎2023-02-21 07:05 AM
Jump to solution

Why not update the existing GW to the new release ? This would keep everything...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
GSallin
Employee
Employee
‎2023-02-21 07:06 AM
In response to G_W_Albrecht
Jump to solution

Because he want to restart from scratch with a new one

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-02-21 07:12 AM
In response to GSallin
Jump to solution

Not possible without TAC afaik.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2023-02-21 07:16 AM
Jump to solution

In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.

More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.

0 Kudos
PointOfChecking
Collaborator
‎2023-08-15 06:53 AM
In response to PhoneBoy
Jump to solution

Hi Phone Boy,

 

We have 2 GWs, a 3800 (R80.40) and an 1800 (R80.20.50).

According to your comment, can I use the same certificate to connect to different GW's VPN if they use the same MGMT (Same CA)?

 

I have tried, but in the logs (after vpn debug ikeon), I see the below in the smart logs:

It's strange, it can see the correct DN, but shows "user DN unknown" and for the key install it shows "invalid certificate".

Any ideas please?

I also tried to create a new client certificate and enroll that one to the other GW, but still fails.  (i.e. one client certificate per gw per user)

 

 

VPN-unknownuser.png

 

 

VPN-unknownuser1.png

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-08-15 02:45 PM
In response to PointOfChecking
Jump to solution

Suggest involving the TAC to troubleshoot this: https://help.checkpoint.com 

Chris_Atkinson
Employee Employee
Employee
‎2023-08-15 03:27 PM
In response to PointOfChecking
Jump to solution

Please also note that R80.20.x will be EOL in Oct-23, please refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#embedded-security 

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2023-02-21 07:22 AM
Jump to solution

Hey @GSallin 

Not sure if it is possible, but below discussion might be helpful:

https://community.checkpoint.com/t5/Management/quot-unknown-quot-certificate-on-management-server/m-...

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events