Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
starmen2000
Collaborator
Collaborator

SSL Certificate renew and backup

Hi mates,

 

Quick question. We want to renew the SSL certificate on the gateway. It is displayed on the firewall properties on the platform portal tab. We have generated CRT file and private key file for new certificate. Now it is ready for renewal. Question is, if something goes wrong, once new certificate is installed, how can we get back to current certificate? As I know, we need private key file of current certificate. But we do not have it. How can I find private key of current certificate files on gateway and export it in case of rollback?

 

Thanks

0 Kudos
6 Replies
the_rock
Legend
Legend

0 Kudos
starmen2000
Collaborator
Collaborator

Actually I could not find the exact answer related my answer. 

0 Kudos
the_rock
Legend
Legend

I meant the part I highlighted.

Andy

 

Short answer: the gateway has the private key, both have the public key.
This is consistent with how the RSA cryptosystem works, which is the basis for IPsec VPN, TLS, SIC, and others.

VPN Certificates come from the Internal Certificate Authority (ICA), which exists on the management and is based on the 
Whether it's a device separate from the gateway or the same device (i.e. locally managed) doesn't matter.

When a Check Point gateway is first installed, it generates a unique private key, which is then signed by the ICA when SIC is established.
Much like when you issue a Certificate Signing Request for a certificate to a public CA for a website, the ICA does not need to know the gateway's private key in order to sign the certificate.

We do not provide a mechanism to export private keys from the gateway.
It is trivial (and more secure) to generate a new keypair signed by the same Certificate Authority as before.

0 Kudos
starmen2000
Collaborator
Collaborator

In this case, an important point comes to my mind, if something goes bad while replacing the current certificate, how can I revert to the old certificate? Without private key file of the current existing certificate on the gateway is it possible to rollback? 

0 Kudos
the_rock
Legend
Legend

Thats probably question for TAC, better get an official CP answer. Personally and this is just me. sounds like it might be possible to do it from Guidbedit, but honestly, its just educated guess.

Andy

0 Kudos
PhoneBoy
Admin
Admin

You might be able to do so with a database revision on the management, but you would have to roll back the entire configuration to the desired point.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events