This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
roepkes
Participant
‎2020-10-02 03:23 PM

Renewing a 3rd Part VPN Certificate in R80.30

We have an existing 3rd party certificate that we need to renew. I have installed new certs using sk149253, but never renewed one.

 

We received new root and intermediate certs from DigiCert, but receive an error that they already exist when trying to create new server objects.

 

Does anyone know the exact process to renew 3rd party certs without deleting the originals?

5 Replies
PhoneBoy
Admin
Admin
‎2020-10-03 07:46 PM

Did you generate a CSR here or did they just give you new certificates?

roepkes
Participant
‎2020-10-05 10:32 AM
In response to PhoneBoy

Received new root and intermediate certs from DigiCert. Tried to create new server objects so that I could create a new CSR. Failed because the new certs look like the ones on the current server object. My sense is that I just need to remove the current cert from the repository, use the "get" cert feature to update the root and intermediate certs and generate a new CSR. Then complete the cert when signed, tell the vpn clients to use the cert and install policy. Sound right?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-10-05 11:44 AM
In response to roepkes

That all sounds correct to me.
You might also need to double-check the VPN settings on the gateway object/community to ensure certificates from that CA are trusted.

0 Kudos
roepkes
Participant
‎2020-10-05 12:11 PM
In response to PhoneBoy

Thanks. I'll update my post after we do the work on Wednesday.

0 Kudos
roepkes
Participant
‎2020-10-07 08:28 PM
In response to roepkes

Worked out pretty much as intended.

1) Removed the current cert from the repository which blanked the VPN clients selection. There some warning and push configuration messages.

2)  Opened the trusted CA server object and used the Get button on the OPSEC PKI Tab to install and accept the new root cert.

3) Repeated step 2 for the subordinate CA.

4) Used the add button on the IPSEC page to create a new cert. You'll add a nickname and in our case it was important to pick our subordinate CA in the "CA to enroll from". First time we selected the root and we received an error telling us the cert chain was off.

5) Pushed the generate button and added our DN.

6) Another member of our team took the info and processed the cert with DigiCert.

7) Used the returned, signed cert to complete the enrollment.

8) Switched the VPN clients to authenticate using the new cert.

9) Pushed policy for good measure.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events