Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CaseyB
Participant

Moving cert based VPNs to third-party cert

We currently utilize certificate based VPNs between our main cluster and some 1430 SMB DAIP appliances, everything is Centrally Managed. These VPNs currently work great with no issues. We fail certain compliance scans because the IPsec certificate being used by the firewall cluster is a self-signed certificate which is an automatic fail. Since we utilize certificate based VPNs, we now have the task of replacing the self-signed VPN certificate with a trusted certificate from a third-party CA.

Replacing the internal VPN certificate with a third-party certificate seems pretty straight forward. My problem is I do not understand what steps are needed to move the 1430 SMB DAIP appliances to using the new third-party certificate and how to test it.

Based off what I know this is where I am stuck in this process.

  • Load Trusted CA third-party Root & Intermediate servers
  • Edit cluster -> Add new certificate using the new third-party CA / do the CSR process
  • Internal & third-party certs now show in IPsec certificate repo
  • Edit cluster -> IPsec VPN
    • Under traditional mode I would assume I want to make this change during the transition:
      • When negotiating with a locally managed peer gateway:
        The gateway can use any of its certificates. (currently set to internal_ca)
  • Then ???

At this point I would assume both internal_ca & third-party certificates would be presented to the SMB appliances to be used for a certificate VPN, but how do I tell it to use the third-party and how do I verify it is? I would assume this process would be needed every year for the renewal process.

I've looked over this article (Setup Cert VPN ), which is basically what we are doing now and looking over the Site to Site VPN admin guide mentions "CA Certificate Rollover" but doesn't offer the insight I am looking for.

The cluster is running R81.10 Take 66 & the SMB 1430 DAIP appliances are running R77.20.87 (990173120).

Thoughts?

0 Kudos
5 Replies
_Val_
Admin
Admin

May I ask a side question? If all your GWs are centrally managed, why would you need a third-party certificate in the first place? It is usually done to get VPN working with externally managed VPN GWs.

0 Kudos
CaseyB
Participant

Sure, I can elaborate on that more.

All of our public IP addresses get scanned for compliance reasons. We would like to pass these compliance scans. If you navigate to the public IP of our cluster https://<public_ip>/   - you will be presented with an SSL certificate. When examining said certificate it is the same one that is listed in the IPsec certificate repository. That is a self-signed certificate from the internal_ca of the Check Point. This fails the compliance scan because it is seen as a self-signed certificate and therefore it is not trusted. Compliance says we need a valid certificate so our option is to replace the internal_ca certificate with a trusted third-party certificate, doing that would effect the certificate based VPNs with our 1430 SMB DAIP appliances.

Unless I am missing something and there is a better way to navigate this issue.

TL;DR - Self-signed certificates are bad for certain compliance scans. Self-signed certificates need to be replaced with trusted certificates to not fail compliance scans.

0 Kudos
_Val_
Admin
Admin

Portal GW certificates are not your VPN certificates. On which port do you see then when running the compliance scan? If on 443, then dig into changing portal certificates, not VPN certs. 

0 Kudos

See CP Site to Site VPN R81.10 Administration Guide p. 40f !

CCSE CCTE CCSM SMB Specialist
0 Kudos
CaseyB
Participant

That appears to be for externally manged gateways, I do not see how to apply any of that to centrally manged gateways.

0 Kudos