Difference between revisions of "How to Renew an expired VPN Certificate"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Category:Check Point A certificate cannot be removed if Smart Center server infers from other settings that the certificate is in use, for example, that the module belongs t...")
 
 
Line 6: Line 6:
 
Steps to be taken when the you get the an error message stating that the certificate is in use:
 
Steps to be taken when the you get the an error message stating that the certificate is in use:
 
* Under "Network Objects" > "Check Point" select the VPN Module.
 
* Under "Network Objects" > "Check Point" select the VPN Module.
* select VPN
+
* Select VPN
* select the expired certificate in "Certificate List" section
+
* Select the expired certificate in "Certificate List" section
* try to remove the certificate
+
* Try to remove the certificate
* if it works a new certificate should be automatically created (see official Check Point documentation VPN-1.pdf for R55, page 53)
+
* If it works a new certificate should be automatically created
* if you get an error message ("Certificate is used in IKE authentication, prior to deleting define an alternative..") proceed as follow:
+
* If you get an error message ("Certificate is used in IKE authentication, prior to deleting define an alternative..") proceed as follows:
* note the certificate details (DN)
+
* Note the certificate details (DN)
* select "Traditional mode configuration", remove tick from "Public Key Signatures"
+
* Select "Traditional mode configuration", remove tick from "Public Key Signatures"
* test if deleting the certificate works (mostly not!)
+
* Test if deleting the certificate works, if so:
* select "Policy" > "Global Properties"
+
* Add new certificate named defaultCert and pick the interncal CA.
* select "Authentication"
+
* Select "Traditional mode configuration", add tick to "Public Key Signatures"
* select "Authenticate internal users with this suffix only", note the suffix (OU=users,O=...) and remove the tick
+
<br />
* push policy
+
*If unable to do the previous 3 steps:
* delete the certificate
+
* Select "Policy" > "Global Properties"
* add certificate using the old DN information
+
* Select "Authentication"
* press edit and note the certificate Issuer (O=...)  
+
* Select "Authenticate internal users with this suffix only", note the suffix (OU=users,O=...) and remove the tick
* modify the "Global Policy" and reactivate the suffix using the new issuer info
+
* Push policy
* modify the "Traditional mode configuration" and reactivate the "Public Key Signatures"
+
* Delete the certificate
* push policy
+
* Add certificate using the old DN information
 +
* Press edit and note the certificate Issuer (O=...)  
 +
* Modify the "Global Policy" and reactivate the suffix using the new issuer info
 +
* Modify the "Traditional mode configuration" and reactivate the "Public Key Signatures"
 +
* Push policy

Latest revision as of 03:47, 12 December 2012


A certificate cannot be removed if Smart Center server infers from other settings that the certificate is in use, for example, that the module belongs to one or more VPN communities and this is the module’s only certificate.

Recovery and Renewal with Internal CA Steps to be taken when the you get the an error message stating that the certificate is in use:

  • Under "Network Objects" > "Check Point" select the VPN Module.
  • Select VPN
  • Select the expired certificate in "Certificate List" section
  • Try to remove the certificate
  • If it works a new certificate should be automatically created
  • If you get an error message ("Certificate is used in IKE authentication, prior to deleting define an alternative..") proceed as follows:
  • Note the certificate details (DN)
  • Select "Traditional mode configuration", remove tick from "Public Key Signatures"
  • Test if deleting the certificate works, if so:
  • Add new certificate named defaultCert and pick the interncal CA.
  • Select "Traditional mode configuration", add tick to "Public Key Signatures"


  • If unable to do the previous 3 steps:
  • Select "Policy" > "Global Properties"
  • Select "Authentication"
  • Select "Authenticate internal users with this suffix only", note the suffix (OU=users,O=...) and remove the tick
  • Push policy
  • Delete the certificate
  • Add certificate using the old DN information
  • Press edit and note the certificate Issuer (O=...)
  • Modify the "Global Policy" and reactivate the suffix using the new issuer info
  • Modify the "Traditional mode configuration" and reactivate the "Public Key Signatures"
  • Push policy