Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
GSallin
Employee
Employee
Jump to solution

Migrate VPN Certificate

I have a question.

My customer is currently using a virtual GW as VPN GW, the VPN users have to authenticate themselves with a certificate. 

The customer wants to replace his GW with a new one (new release), is it possible to migrate the certificate from the old GW to the the new one?

Thank you

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.

More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.

View solution in original post

0 Kudos
8 Replies
G_W_Albrecht
Legend
Legend

Why not update the existing GW to the new release ? This would keep everything...

CCSE CCTE CCSM SMB Specialist
0 Kudos
GSallin
Employee
Employee

Because he want to restart from scratch with a new one

 

0 Kudos
G_W_Albrecht
Legend
Legend

Not possible without TAC afaik.

CCSE CCTE CCSM SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

In general, there is no way to export the private key of a gateway and import it to another.
If they use the same Certificate Authority (ie are managed by the same management), then this shouldn’t create an issue since it’s ultimately the CA that validates a certificate is valid.
Other than possibly a fingerprint message when the user connects to the new gateway for the first time, there shouldn’t be any issues authenticating.

More details about your current and proposed configuration (current version, target version, how is the gateway managed from what versions, etc) would help clarify our answers.

0 Kudos
PointOfChecking
Collaborator

Hi Phone Boy,

 

We have 2 GWs, a 3800 (R80.40) and an 1800 (R80.20.50).

According to your comment, can I use the same certificate to connect to different GW's VPN if they use the same MGMT (Same CA)?

 

I have tried, but in the logs (after vpn debug ikeon), I see the below in the smart logs:

It's strange, it can see the correct DN, but shows "user DN unknown" and for the key install it shows "invalid certificate".

Any ideas please?

I also tried to create a new client certificate and enroll that one to the other GW, but still fails.  (i.e. one client certificate per gw per user)

 

 

VPN-unknownuser.png

 

 

VPN-unknownuser1.png

 

0 Kudos
PhoneBoy
Admin
Admin

Suggest involving the TAC to troubleshoot this: https://help.checkpoint.com 

Chris_Atkinson
Employee Employee
Employee

Please also note that R80.20.x will be EOL in Oct-23, please refer:

https://www.checkpoint.com/support-services/support-life-cycle-policy/#embedded-security 

CCSM R77/R80/ELITE
the_rock
Legend
Legend

Hey @GSallin 

Not sure if it is possible, but below discussion might be helpful:

https://community.checkpoint.com/t5/Management/quot-unknown-quot-certificate-on-management-server/m-...

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events