[RayPesek]

The root certificate for the internal CA expired? Wow. When I created a CA in R55, it had a 20 year lifetime. Check Point hasn't even been in existence long enough for it to expire.

Are you sure it's not the 5-year VPN certificate instead? You can go to the gateway object, un-check VPN-1, save it, open the gateway object, re-check VPN-1, save it and push the policy. That will put a new certificate on without affecting the root certificate.

Do you have web access to the internal CA via port 18265? If you don't know what I'm talking about, there is a site on https://<smartcenterIP>:18265 that lets you access the ICA and check on certificate status, etc.

You need an administrator certificate and it's turned on via a command line command. There is an SK article on it.

Ray