How to Renew an expired VPN Certificate

From Tech-Wiki
Jump to: navigation, search


A certificate cannot be removed if Smart Center server infers from other settings that the certificate is in use, for example, that the module belongs to one or more VPN communities and this is the module’s only certificate.

Recovery and Renewal with Internal CA Steps to be taken when the you get the an error message stating that the certificate is in use:

  • Under "Network Objects" > "Check Point" select the VPN Module.
  • Select VPN
  • Select the expired certificate in "Certificate List" section
  • Try to remove the certificate
  • If it works a new certificate should be automatically created
  • If you get an error message ("Certificate is used in IKE authentication, prior to deleting define an alternative..") proceed as follows:
  • Note the certificate details (DN)
  • Select "Traditional mode configuration", remove tick from "Public Key Signatures"
  • Test if deleting the certificate works, if so:
  • Add new certificate named defaultCert and pick the interncal CA.
  • Select "Traditional mode configuration", add tick to "Public Key Signatures"


  • If unable to do the previous 3 steps:
  • Select "Policy" > "Global Properties"
  • Select "Authentication"
  • Select "Authenticate internal users with this suffix only", note the suffix (OU=users,O=...) and remove the tick
  • Push policy
  • Delete the certificate
  • Add certificate using the old DN information
  • Press edit and note the certificate Issuer (O=...)
  • Modify the "Global Policy" and reactivate the suffix using the new issuer info
  • Modify the "Traditional mode configuration" and reactivate the "Public Key Signatures"
  • Push policy