Renew an expired certificate from ICA

The Certificate in a gateway’s (or cluster’s) properties > IPSec VPN > Certificate repository has expired, and the “Renew…” button is greyed out.

Solution:

1) Remove the certificate from the the gateway:
a) From SmartDashboard > Gateway (Cluster) Properties > IPSec VPN, record the CN pervatim (example: “default VPN Certificate”)

b) Then highlight the expired certificate and click the “Remove” button
Note: If you are given any errors about the gateway being used in VPNs, cancel out of the properties and remove the gateway from any VPN communities it participates in, then return to the cluster properties and repeat step b)

c) Click on the properties window “OK” button to exit.

d) Save the policy (“File” menu > “Save”), and close down any Gui clients including SmartDashboard
Note: DO NOT PUSH POLICY

2) Remove any instances of the certificate from your internal CA:
a) Enable access to ICA management:
From the Security Management Server, run the command ‘cpca_client set_mgmt_tool on -no_ssl’ (If your SMS is on SecurePlatform, then run in expert mode)
Note: This will open the ICA management WITHOUT authentication or encryption. This will only be temporary as we will disable it after this step. If this is unacceptable, please follow the Check Point SK available at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39915

b) Connect to the ICA management tool:
Via browser conncet to http://<IP.address.of.SMS>:18265 (https if you followed the SK for enabling auth, but still port 18265)

c) Remove all instances of that certificate:
i) From the Manage Certificates (initial) screen leave all fields blank (and all drop down box at the default “Any”) and click search
ii) Find and select EVERY instance of the certificate with the same CN (including all expired and revoked instances) and click on “Remove selected”
iii) Search again (all fields blank and drop down boxes on “ANY”), and double-check that all instances are removed

d) Close your connection to the ICA Management Tool and run the command ‘cpca_client set_mgmt_tool off’ to disable it.

3) Recreate the certificate:
a) Log back into SmartDashboard, go to the Cluster Properties > IPSec VPN

b) In the repository of certificates, select “Add…”

c) The Certificate Nickname will be the same as the old CN it had before.

d) Select the “Generate…” button, and in the Generate Keys window, the old CN again goes here, the “Define Alternate Name” should be checked and the ip address should be auto-populated (ensure it is the same IP address that will provide the certificate for validation during connections, likely the external address), and select “OK”

e) Select “OK” again to create the certificate, and select “OK” on the properties window.
Note: If you had to remove the gateway from any VPN communities in order to complete step 1), b) then ensure to readd it to those communities now, before pushing policy as below.

f) Install policy to ALL GATEWAYS

Was this article helpful?

Related Articles

Leave A Comment?

You must be logged in to post a comment.