SIC Certificate Management

**TheDroppedPacket** · 2020-02-12

Looking for help understanding the certificates used for Secure Internal Communication (SIC). I need to document when certificates are due for renewal and where those certificates are used. I found SK62873 on "How to determine an SIC Certificate's expiration date" and it has you check certificate expiration on the management server from the CLI. It looks like they are all issued to the management device (but issued from where?). If I look at the properties of a gateway in SmartConsole, I can see that they are using the same certificate that was displayed on the management device. Are these certificates that I need to worry about eventually expiring and having to reissue from a certificate authority in the traditional sense? I am having a hard time understanding how these are managed from the admin guide and from what I can find online. I am wondering if these are somehow all internally managed on the management device and that it is pretty much a hands-off operation. If there is a place where this is plainly explained, please do point me in the direction of a KB article or something. Any feedback would be greatly appreciated! Thanks! (I am on R80.20, if that matters.)

**Bob_Zimmerman** · 2020-02-13

A Check Point SmartCenter or MDS runs an internal certificate authority (ICA). It is self-signed, and is the root of trust for the SIC domain. Secondary managements, log servers, firewalls, and so on are all configured manually to trust the primary management's ICA using a shared secret (called the "SIC activation key"). The primary management then signs a certificate for that device. Further communications between the management and the subordinate device are then authenticated (and generally encrypted) using the ICA and the device's key/certificate pair.

You do not need to worry about renewing these certificates with a public certificate authority.

They can expire, but it's rare. I don't think I ever saw one expire in over five years in the Check Point TAC. They attempt to automatically renew themselves, but this process sometimes fails. When it fails, the first symptom generally noticed is policy pushes failing.

Now, there are a few more places certificates can be used which would be worth checking:

VPN certificates can be issued by the management ICA, but you can also import a key/certificate pair if you want one signed by a CA which isn't part of the SIC domain.

You can import a key/certificate pair for use in SSL MitM for URL filtering and application control. That would almost certainly be from a CA outside the SIC domain, but probably not a public CA (the whole idea is to let the firewall sign its communications as Facebook or Google or whoever it wants). I've only seen it use certificates signed by an AD domain controller.

Mobile Access (SSL VPN; formerly SNX or Connectra) can use a certificate from a public CA.

I don't know of any others off the top of my head, but there are probably a few more features I don't regularly think about.