AnsweredAssumed Answered

VPN certificate for a management object?

Question asked by Norbert Giczi on Jan 16, 2019
Latest reply on Jan 16, 2019 by Dameon Welch-Abernathy

Hi All,

 

We are trying to determine what VPN certificates will expire in the near future in our customer's environment (running version R77.30). Please review the following example output from one of their CMA:

# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
3 certs found.
Subject = CN=BG-domain_Management_Server VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 37172   DP = 1
Not_Before: Sun Jan 26 14:08:43 2014   Not_After: Sat Jan 26 14:08:43 2019
Subject = CN=mgmt-fake VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 82103   DP = 1
Not_Before: Sun Jan 26 13:57:52 2014   Not_After: Sat Jan 26 13:57:52 2019
Subject = CN=bg-gw-utm270 VPN Certificate,O=BG-domain..kstxe3
Status = Valid   Kind = IKE   Serial = 93179   DP = 1
Not_Before: Sat Jan 12 21:55:45 2019   Not_After: Fri Jan 12 21:55:45 2024

 

Note: "bg-gw-utm270" is their one and only Security Gateway in their CMA in question.

 

The real question is why "BG-domain_Management_Server" and "mgmt-fake" have VPN certificates? They are both Check Point management type objects, therefore at first sight, this look very odd why they have such certificate. Can you help us with a good explanation?

In addition, how exactly those certificates can be renewed?

 

Thanks in advance.

Outcomes