CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: 3rd Party SSL Certificate Renewal Issue

  1. #1
    Join Date
    2014-04-01
    Location
    Bath, UK
    Posts
    11
    Rep Power
    0

    Default 3rd Party SSL Certificate Renewal Issue

    Hi all,

    This is my first post, so I would just like to say hello! I have been keeping an eye on these forums for a good year or so, but have not had the knowledge to help / the need to ask for help.

    I am now fairly experienced in Check Point and am now CCSE qualified to give you an idea of my technical competency.

    Right... so on to the issue at hand.

    We have several SNX deployments protected by 3rd party SSL certificates. One of which is now due to expire this month.

    I noticed that when I went into the firewall object -> IPSec VPN tab where the certificates are stored, that the 'renew' option is greyed out on the 3rd party certificate.

    First point of call was to search the web which returned nothing.

    I then logged a call with Check Point directly, who have told me that it is not possible to 'renew' a 3rd party certificate. To which I replied with, 'how do I go about getting the same certified reissued?' to which I was told, delete it and reapply.

    If I were to follow the advice of the CP engineer, the SNX deployment would be protected by a self signed certificate for up to 2 days whilst the application for a new certificate is done. I am not too fussed about the aspect of it being less secure for this time, more of the reputation impact it will have on our company, who have large numbers of customers who actively use this SNX deployment.

    Surely I cannot be the only person in the world that thinks this is a bit pants?

    My question to the wise members of the forum is.... is there any way to do this that the CP engineer did not know about?

    Firewall Details:

    12600 HA cluster running R77.10
    Certificate installed: Wildcard certificate, due to multiple DNS names pointing to the same deployment.

    I look forward to hearing what you think and what experiences you have had.

    Thanks,

    Sam

  2. #2
    Join Date
    2013-02-13
    Posts
    32
    Rep Power
    0

    Default Re: 3rd Party SSL Certificate Renewal Issue

    We got the same issue aswell..

    What we did is to have the new cert prepared 1 month before it expires.

    Remove the old cert -> add new Cert with a different nickname -> push policy -> rename SSL:certname in fwauthd.conf

    Takes 10mins.

  3. #3
    Join Date
    2014-04-01
    Location
    Bath, UK
    Posts
    11
    Rep Power
    0

    Default Re: 3rd Party SSL Certificate Renewal Issue

    Hi avdonzzz,

    Thanks for your reply.

    Are you able to elaborate a bit for me?

    What do you mean by preparing the cert 1 month prior to expiration?

    I was under the impression that you cannot have more than 1 certificate on the firewall with the same DN, regardless of the certificate nickname. In my head at least, this means that I cannot prepare the certificate prior to expiration.

    I was also at the understanding that you cannot import 3rd party certificates, that have for instance, been created on a Windows server, signed and exported.

    I will be very happy to be proven wrong on this as it will sort out a rather large headache I can see heading my way in the future.

    Thanks,

    Sam

  4. #4
    Join Date
    2013-02-13
    Posts
    32
    Rep Power
    0

    Default Re: 3rd Party SSL Certificate Renewal Issue

    Yes you are right, you can only have 1 DN

    it's a lame method, remove the cert/create the CRL file but do not push policy until you got the cert.

    but I encounter before when I removed the cert with the new cert still waiting to "complete" and push policies the previous cert was still there, probably it will only take effect when doing a cprestart/reboot, which is also why I need to manually change the fwauthd.conf

Similar Threads

  1. Installing a 3rd party SSL certificate
    By jrabbit in forum SNX - SSL Network Extender
    Replies: 12
    Last Post: 2017-06-22, 06:50
  2. Installing a 3rd party SSL certificate
    By Maxim in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2016-06-01, 13:32
  3. 3rd party certificate
    By avdonzzz in forum Authentication
    Replies: 0
    Last Post: 2013-12-09, 23:21
  4. VPN Certificate Issue - UTM1 to 3rd Party device with DAIP
    By Shaps in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 0
    Last Post: 2012-02-06, 15:59
  5. VPN IPSec Site-to-Site with 3rd party Certificate
    By netrix in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2011-09-27, 06:11

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •