3rd Party SSL Certificate Renewal Issue

**sdawkiins** · 2014-04-02

Hi all,

This is my first post, so I would just like to say hello! I have been keeping an eye on these forums for a good year or so, but have not had the knowledge to help / the need to ask for help.

I am now fairly experienced in Check Point and am now CCSE qualified to give you an idea of my technical competency.

Right... so on to the issue at hand.

We have several SNX deployments protected by 3rd party SSL certificates. One of which is now due to expire this month.

I noticed that when I went into the firewall object -> IPSec VPN tab where the certificates are stored, that the 'renew' option is greyed out on the 3rd party certificate.

First point of call was to search the web which returned nothing.

I then logged a call with Check Point directly, who have told me that it is not possible to 'renew' a 3rd party certificate. To which I replied with, 'how do I go about getting the same certified reissued?' to which I was told, delete it and reapply.

If I were to follow the advice of the CP engineer, the SNX deployment would be protected by a self signed certificate for up to 2 days whilst the application for a new certificate is done. I am not too fussed about the aspect of it being less secure for this time, more of the reputation impact it will have on our company, who have large numbers of customers who actively use this SNX deployment.

Surely I cannot be the only person in the world that thinks this is a bit pants?

My question to the wise members of the forum is.... is there any way to do this that the CP engineer did not know about?

Firewall Details:

12600 HA cluster running R77.10
Certificate installed: Wildcard certificate, due to multiple DNS names pointing to the same deployment.

I look forward to hearing what you think and what experiences you have had.

Thanks,

Sam

**avdonzzz** · 2014-04-02

We got the same issue aswell..

What we did is to have the new cert prepared 1 month before it expires.

Remove the old cert -> add new Cert with a different nickname -> push policy -> rename SSL:certname in fwauthd.conf

Takes 10mins.

**sdawkiins** · 2014-04-02

Hi avdonzzz,

Thanks for your reply.

Are you able to elaborate a bit for me?

What do you mean by preparing the cert 1 month prior to expiration?

I was under the impression that you cannot have more than 1 certificate on the firewall with the same DN, regardless of the certificate nickname. In my head at least, this means that I cannot prepare the certificate prior to expiration.

I was also at the understanding that you cannot import 3rd party certificates, that have for instance, been created on a Windows server, signed and exported.

I will be very happy to be proven wrong on this as it will sort out a rather large headache I can see heading my way in the future.

Thanks,

Sam

**avdonzzz** · 2014-04-05

Yes you are right, you can only have 1 DN

it's a lame method, remove the cert/create the CRL file but do not push policy until you got the cert.

but I encounter before when I removed the cert with the new cert still waiting to "complete" and push policies the previous cert was still there, probably it will only take effect when doing a cprestart/reboot, which is also why I need to manually change the fwauthd.conf