How to Renew an expired VPN Certificate

From Tech-Wiki
Revision as of 02:41, 12 December 2012 by Jebr (Talk | contribs) (Created page with "Category:Check Point A certificate cannot be removed if Smart Center server infers from other settings that the certificate is in use, for example, that the module belongs t...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


A certificate cannot be removed if Smart Center server infers from other settings that the certificate is in use, for example, that the module belongs to one or more VPN communities and this is the module’s only certificate.

Recovery and Renewal with Internal CA Steps to be taken when the you get the an error message stating that the certificate is in use:

  • Under "Network Objects" > "Check Point" select the VPN Module.
  • select VPN
  • select the expired certificate in "Certificate List" section
  • try to remove the certificate
  • if it works a new certificate should be automatically created (see official Check Point documentation VPN-1.pdf for R55, page 53)
  • if you get an error message ("Certificate is used in IKE authentication, prior to deleting define an alternative..") proceed as follow:
  • note the certificate details (DN)
  • select "Traditional mode configuration", remove tick from "Public Key Signatures"
  • test if deleting the certificate works (mostly not!)
  • select "Policy" > "Global Properties"
  • select "Authentication"
  • select "Authenticate internal users with this suffix only", note the suffix (OU=users,O=...) and remove the tick
  • push policy
  • delete the certificate
  • add certificate using the old DN information
  • press edit and note the certificate Issuer (O=...)
  • modify the "Global Policy" and reactivate the suffix using the new issuer info
  • modify the "Traditional mode configuration" and reactivate the "Public Key Signatures"
  • push policy