CA certificate renewal

[m.schmidt]

Hi

I have a Checkpoint NG R55, and my Certificate of the internal CA is out
of date.
Is there a easy way to renew it, without having to destroy all my VPN
Communities?
In NGX there is a nice Button "renew", but no such thing in NG.

[rhmeyering]

m.schmidt-

Check you clocks the ICA should have a twenty (20) year life.

check the cpca_client cli command options sometimes there is functionality fro the cli tool that is not enabled in the GUI.

Bob

[m.schmidt]

I think you misunderstood me a little bit.
I'm talking about the Certificate you see in "Gateway Properties -> VPN" ..sorry for that.

[rhmeyering]

m.schmidt-

Ok, so the VPN Certificate has expired, not the ICA certificate.

Is the certificate used to authenticate VPN Tunnels with any Gateways you do not manage (e.g External Partner, using Certs not pre-shared secrets)?

The remove, delete and create process should work find since you are not going to actually install policy untile the process is completed. As always, make a backup and db revision of your config before performing a process of the nature.

You won't have to destroy your VPN communities, but to delete the VPN Certificate the GW with the CERT has to be removed from the communities before you can delete the CERT itself. Then click [ok] , edit the GW again and create a new CERT, add the GW back to the community and install policy.

Everything should be fine.

SR/SC users will have to update their site inorder to fetch the new VPN CERT.