This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Heath_Mote
Collaborator
‎2024-11-04 09:50 AM
Jump to solution

sk97691 - Certificate Renewal "At the 75% threshold, it should be renewed automatically."

The sk listed above in Scenario 4 says the cert should renew at 75% threshold but we've never had this occur. We have to manually track and manually renew all VPN certs for SIC and VPN (same cert). Why does this SK say the certificates auto renew when they don't.

Has anyone else had this problem or are we alone?

1 Solution

Accepted Solutions
JozkoMrkvicka
Authority
Authority
‎2024-11-04 11:29 PM
Jump to solution

You are mixing different types of certificates. VPN and SIC certs are NOT the same.

VPN default certificates (IKE certificates) were valid for 5 years. Starting from R81.10, validity of VPN default certificates (IKE certs) was changed from 5 years to 1 year by default. VPN default certificates (IKE certificates) were needed to be manually renewed. There is a way how to renew VPN certificates automatically.

SIC certificates are by default valid for 5 years and are automatically renewed once 75% threshold is reached. In some cases, SIC certificate is not renewed and it has to be renewed manually. Scenario 4 in sk97691 is one example why SIC needs to be renewed by hand. Another situation where SIC is needed to be renewed manually is mentioned in sk103356.

Kind regards,
Jozko Mrkvicka

View solution in original post

12 Replies
the_rock
Legend
Legend
‎2024-11-04 06:05 PM
Jump to solution

I gave a feedback for it, its 100% wrong. Used to be 5 years for a long time, it has been 1 year since I believe 2021 or 2022. You can extend it to 3 years with command on mgmt server, then you have to renew it on gw object to to show 3 years validity. Also, I have no clue in the world where 75% threshold comes from, as in all my years dealing with CP, that has never happened, neither have I ever had any customers either who told me they had that cert be renewed automatically.

Andy

JozkoMrkvicka
Authority
Authority
‎2024-11-04 11:29 PM
Jump to solution

You are mixing different types of certificates. VPN and SIC certs are NOT the same.

VPN default certificates (IKE certificates) were valid for 5 years. Starting from R81.10, validity of VPN default certificates (IKE certs) was changed from 5 years to 1 year by default. VPN default certificates (IKE certificates) were needed to be manually renewed. There is a way how to renew VPN certificates automatically.

SIC certificates are by default valid for 5 years and are automatically renewed once 75% threshold is reached. In some cases, SIC certificate is not renewed and it has to be renewed manually. Scenario 4 in sk97691 is one example why SIC needs to be renewed by hand. Another situation where SIC is needed to be renewed manually is mentioned in sk103356.

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend
‎2024-11-05 04:16 AM
In response to JozkoMrkvicka
Jump to solution

I see what you mean, will check in the lab shortly.

Andy

the_rock
Legend
Legend
‎2024-11-05 04:48 AM
Jump to solution

@Heath_Mote 

I was actually mistaken and I admit when Im wrong. @JozkoMrkvicka is absolutely correct. I ran below command on my R82 standalone lab and it confirms what sk says. I still cant say for sure the fact about 75% threshold (personally never heard of it myself), but logically, it would make sense, because you never need to reset sic, unless there is a communication issue.

Andy

 

[Expert@R82:0]# cpca_client lscert
Operation succeeded. rc=0.
5 certs found.

Subject = CN=R82,O=R82..b47sbr
Status = Valid Kind = SIC Serial = 22352 DP = 0
Not_Before: Sun Oct 20 17:56:05 2024 Not_After: Sat Oct 20 17:56:05 2029

Subject = CN=cp_mgmt,O=R82..b47sbr
Status = Valid Kind = SIC Serial = 24961 DP = 0
Not_Before: Sun Oct 20 17:56:05 2024 Not_After: Sat Oct 20 17:56:05 2029

Subject = CN=cp_mgmt,O=R82..b47sbr
Status = Valid Kind = SIC Serial = 65129 DP = 0
Not_Before: Sun Oct 20 17:55:59 2024 Not_After: Sat Oct 20 17:55:59 2029

Subject = CN=R82 VPN Certificate,O=R82..b47sbr
Status = Valid Kind = IKE Serial = 87030 DP = 1
Not_Before: Sun Oct 20 18:30:48 2024 Not_After: Tue Oct 21 18:30:48 2025

Subject = CN=cp_mgmt,O=R82..b47sbr
Status = Valid Kind = SIC Serial = 94884 DP = 0
Not_Before: Sun Oct 20 17:56:12 2024 Not_After: Sat Oct 20 17:56:12 2029
[Expert@R82:0]#

 

the_rock
Legend
Legend
‎2024-11-05 04:54 AM
In response to the_rock
Jump to solution

@Heath_Mote 

Another example from my R81.20 lab.

Andy

[Expert@CP-MANAGEMENT:0]# cpca_client lscert | grep CN=CP-GW,O=CP-MANAGEMENT..pi6w5j
Subject = CN=CP-GW,O=CP-MANAGEMENT..pi6w5j
Subject = CN=CP-GW,O=CP-MANAGEMENT..pi6w5j
Subject = CN=CP-GW,O=CP-MANAGEMENT..pi6w5j

 

Screenshot_1.png

 

Heath_Mote
Collaborator
‎2024-11-05 07:02 AM
In response to the_rock
Jump to solution

It was the SIC cert that dropped from our R81.20 management to a lot of 1200Rs in the field this past week. We noticed these stopped backing up each night and when troubleshooting noticed the SIC cert had expired. What's odd is that we have HA at most sites but we had some locations where one firewall lost SIC and the other didn't in the HA pair. I guess that could be caused by RMA's and such during the time we've had these deployed contributing to why we notice that on some sites.

So it looks like we were in the group that it didn't occur automatically like it should. Is there an alert or anything that pops in the logs showing a SIC Cert didn't automatically renew or something we can trigger off of other than losing SIC or manually checking?

0 Kudos
the_rock
Legend
Legend
‎2024-11-05 07:11 AM
In response to Heath_Mote
Jump to solution

Not sure about alert, but maybe check if any logs for port 18191?

Andy

0 Kudos
Heath_Mote
Collaborator
‎2024-11-05 08:16 AM
In response to the_rock
Jump to solution

I checked a few that dropped SIC and didn't see anything but accepts on port 18191. It's pretty constant traffic at about 1-4 hits per minute from the gateways to the management server(s).

0 Kudos
the_rock
Legend
Legend
‎2024-11-05 08:21 AM
In response to Heath_Mote
Jump to solution

In that case, I got nothing else to suggest, sorry. I would open TAC case to investigate further.

Andy

the_rock
Legend
Legend
‎2024-11-05 08:26 AM
In response to Heath_Mote
Jump to solution

If I think of anything else, will let you know, for sure.

Andy

JozkoMrkvicka
Authority
Authority
‎2024-11-05 11:00 PM
In response to Heath_Mote
Jump to solution

Looks like good idea for RFE.

If SIC is for whatever reason going to be expired, you will not get any error/warning. You will notice it just after expiration (too late). For example, you wont be able to push the policy.

You can create your own script running on management to see what is actual expiration date of all valid certs using command "cpca_client lscert". Once the expiration date of any cert is too close to some date, fire some alarm (send mail).

Kind regards,
Jozko Mrkvicka
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top