We are trying to determine what VPN certificates will expire in the near future in our customer's environment (running version R77.30). Please review the following example output from one of their CMA:
# cpca_client lscert -stat Valid -kind IKEOperation succeeded. rc=0.3 certs found.Subject = CN=BG-domain_Management_Server VPN Certificate,O=BG-domain..kstxe3Status = Valid Kind = IKE Serial = 37172 DP = 1Not_Before: Sun Jan 26 14:08:43 2014 Not_After: Sat Jan 26 14:08:43 2019Subject = CN=mgmt-fake VPN Certificate,O=BG-domain..kstxe3Status = Valid Kind = IKE Serial = 82103 DP = 1Not_Before: Sun Jan 26 13:57:52 2014 Not_After: Sat Jan 26 13:57:52 2019Subject = CN=bg-gw-utm270 VPN Certificate,O=BG-domain..kstxe3Status = Valid Kind = IKE Serial = 93179 DP = 1Not_Before: Sat Jan 12 21:55:45 2019 Not_After: Fri Jan 12 21:55:45 2024
Note: "bg-gw-utm270" is their one and only Security Gateway in their CMA in question.
The real question is why "BG-domain_Management_Server" and "mgmt-fake" have VPN certificates? They are both Check Point management type objects, therefore at first sight, this look very odd why they have such certificate. Can you help us with a good explanation?
In addition, how exactly those certificates can be renewed?
Thanks in advance.