Re: Replace TLS cert

Kolafer · ‎2023-12-13

Hello all,

did someone already replace the TLS cert in skyline configuration?

The certificate was changed on our Prometheus server.

Is it possible to use the Issuing CA, and not the cert of the Prometheus server, in ther configuration?

"enabled": true,
            "server-auth": {
                "ca-public-key": {
                    "type": "PEM-X509",
                    "value": "<CERTIFICATE>"

Or what would be the best way, if the certificate of Prometheus will replace every 2,5 years?

What are the steps, if we need to replace the cerificate for the Skyline TLS configuration?

Thanks

_Val_ · ‎2023-12-18

@Arik_Ovtracht can you please advise?

Kolafer · ‎2023-12-20

Hello @Arik_Ovtracht ,

can you advise here please?

I created a new payloadjson and add the issuer CA of the Prometheus server, after rerun the configuration again. But still not working.

I can see the certificate was added to the certs/ca-bundle.crt.

br

What are the right steps to replace the certificate on the gateway?

Elad_Chomsky · ‎2023-12-21

Hi @Kolafer , Please open a support ticket to CheckPoint, so we can try to assist you directly.

Elad_Chomsky · ‎2023-12-18

Hi @Kolafer , As far as I know the issuer CA should work on the GW itself, so it should prevent you from the need to do redeployment ( Assuming the Prometheus CA is signed by it ).

Regarding automatic deployment of certificates, there are some available solutions outside of CheckPoint, that can be used, but as this is out of scope of the CheckPoint support, I can share them, However I can't recommend to go to one or to the other. For example, CertBot or kubernetes based solutions.

Are you a member of CheckMates?

Replace TLS cert