Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jeremy_Vickers
Explorer

letsencrypt.org acme protocol - inbound ssl inspection

I'm wondering if it is possible to automate the renewal and update of certificates that are within an inbound ssl inspection ruleset. It would be nice to take advantage of letsencrypt.org for web certificates. There are some bash scripts available to use but i don't know how to programatically update a ssl certificate on the checkpoint firewalls. 

 

Please advise.

 

 

13 Replies
PhoneBoy
Admin
Admin

We have no formal integration with Let's Encrypt.
Versions of management prior to R80.40 do not have APIs for HTTPS Inspection policy, either.
Might be possible to script/API this with R80.40 management, but haven't tried personally.
bmartins-EUDA
Contributor

Have you tried it already? I was also interested on this.

0 Kudos
Stefan_Roesch
Employee
Employee

Hello,
any new experience with Let's encrypt and automatic cert replacement?
Thanks!

BR Stefan

0 Kudos
PhoneBoy
Admin
Admin

I am not familiar with any specific plans to integrate with Let’s Encrypt.
Customers should engage with their local Check Point office with this requirement.
Employees should engage internally with Solution Center.

0 Kudos
WE
Explorer

Were you ever successful? I tried to use LE for the VPN certificate, and the CP appliance fails because the name on the certificate contains an apostrophe (i.e., Let's Encrypt). Because of that (and CP not fixing the issue), I can't use LE for its certs.

0 Kudos
_Val_
Admin
Admin

If you need LE certificates to be supported, please raise an RFE with your local Check Point team. 

0 Kudos
WE
Explorer

See SR#6-0003485196; the initial issue was not specific to LE, but researching the problem unearthed the problem. I did request that they escalate that portion; I do not know how to see any status of that request.

Thanks.

0 Kudos
_Val_
Admin
Admin

Does this request belong to you or someone else?

0 Kudos
_Val_
Admin
Admin

From what I see, that SR is unrelated to the subject in hands.

0 Kudos
WE
Explorer

Yes, which I said in my first reply to you, "the initial issue was not specific to LE". It was during the support discussion that we attempted other certificates, at which point the deficiency (apostrophes in certificate names) was identified.

Since it seems that you can see the conversation, can you confirm that my request to escalate is in some form of a "please fix/implement" queue? If not, what words need to be said to make that happen?

0 Kudos
_Val_
Admin
Admin

The SR above is closed. AFAIK, Let's Encrypt certificates are not supported, but if you need an official confirmation of that, please open a TAC request and ask.

If you need Check Point to support them, please open and RFE with your local Check Point representative, as I mentioned already.

0 Kudos
aheilmaier2
Explorer

are there any API support to exchange ipsec/RAS certificates ?

I only have the Option via UI, with R82 there came some new APIs, but only for https inspection nothing for ipsec/ras.
Any scripting I do not know on how to start, all gets done via CP Manager GUI.

0 Kudos
PhoneBoy
Admin
Admin

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events