This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Garrett_DirSec
Advisor
‎2022-03-23 10:47 AM

ICA issues with multiple "cn=cp_mgmt" certs and how this affect R81+ platform

Hello -- I have encountered various instances of the "certificate revoked" issue for a SmartConsole connecting to a newly upgraded R81 SmartCenter.    The issue happened to be ICA having issued multiple "cn=cp_mgmt" certs -- all valid -- for same smartcenter host.

I was surprised to encounter a customer environment with SmartCenter running default ISO R81, had TEN valid "cn=cp_mgmt" certs, upgraded from R77xx, and was NOT exhibiting the "certificate revoked" SmartCopnsole connect issue, 

We upgraded environment (including distributed gateways) to R81.10 with Jumbo GA take 30.    ICA and "cn=cp_mgmt" underlying issue not resolved.    Since this is known issue (SK169553  ), I figured that Checkpoint would adddress via hotfix and/or manager rev upgrade.

While we investigated another annoying problem with R81.10 breaking connectivity for LDAP account unit (and thus ADQuery), I checked on multiple "cn=cp_mgmt" certs and surprised to see multiple (in this case:  ten valid certs,  there should be only ONE).

Since the R81.10 (and subsequent R81 jumbos) not fixing this issue behind the scenes, what are the ramifications and potential issues customer would experience (other than "certificate revoked" in SmartConsole)?

What are the potential issues Checkpoint community will experience with potentially large number of customers have this issue and many unaware?

 

 

(1)
Who rated this post