This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
starmen2000
Collaborator
Collaborator
‎2023-09-08 10:10 AM

SSL Certificate renew and backup

Hi mates,

 

Quick question. We want to renew the SSL certificate on the gateway. It is displayed on the firewall properties on the platform portal tab. We have generated CRT file and private key file for new certificate. Now it is ready for renewal. Question is, if something goes wrong, once new certificate is installed, how can we get back to current certificate? As I know, we need private key file of current certificate. But we do not have it. How can I find private key of current certificate files on gateway and export it in case of rollback?

 

Thanks

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2023-09-08 10:18 AM

Maybe this answers your question...

Andy

https://community.checkpoint.com/t5/Management/secret-key-on-smart-1/m-p/161914#M32589

0 Kudos
starmen2000
Collaborator
Collaborator
‎2023-09-08 10:53 AM
In response to the_rock

Actually I could not find the exact answer related my answer. 

0 Kudos
the_rock
Legend
Legend
‎2023-09-08 10:58 AM
In response to starmen2000

I meant the part I highlighted.

Andy

 

Short answer: the gateway has the private key, both have the public key.
This is consistent with how the RSA cryptosystem works, which is the basis for IPsec VPN, TLS, SIC, and others.

VPN Certificates come from the Internal Certificate Authority (ICA), which exists on the management and is based on the 
Whether it's a device separate from the gateway or the same device (i.e. locally managed) doesn't matter.

When a Check Point gateway is first installed, it generates a unique private key, which is then signed by the ICA when SIC is established.
Much like when you issue a Certificate Signing Request for a certificate to a public CA for a website, the ICA does not need to know the gateway's private key in order to sign the certificate.

We do not provide a mechanism to export private keys from the gateway.
It is trivial (and more secure) to generate a new keypair signed by the same Certificate Authority as before.

0 Kudos
starmen2000
Collaborator
Collaborator
‎2023-09-08 11:02 AM
In response to the_rock

In this case, an important point comes to my mind, if something goes bad while replacing the current certificate, how can I revert to the old certificate? Without private key file of the current existing certificate on the gateway is it possible to rollback? 

0 Kudos
the_rock
Legend
Legend
‎2023-09-08 11:26 AM
In response to starmen2000

Thats probably question for TAC, better get an official CP answer. Personally and this is just me. sounds like it might be possible to do it from Guidbedit, but honestly, its just educated guess.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-08 06:49 PM
In response to starmen2000

You might be able to do so with a database revision on the management, but you would have to roll back the entire configuration to the desired point.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events