Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.
COURSE of the MONTH
13 days, 19 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
default cert expires in 2 days on CheckPoint NG AI R 55 Firewall ! PLEASE Help !
Posted on 2008-10-02
Hi,
our firewall's ( Checkpoint NG AI R 55 ) default cert created while installing the firewall is going to expire in 2 days
the firewall is supporting 50 user network and 2 vpn tunnels ( site to site )
once the cert expires does the firewall stops working ?
does the vpn tunnels break ?
how do we recreate the cert with hurting the firewall ? we just have only one firewall and now this situation is scary !
Please help !!!!
our firewall's ( Checkpoint NG AI R 55 ) default cert created while installing the firewall is going to expire in 2 days
the firewall is supporting 50 user network and 2 vpn tunnels ( site to site )
once the cert expires does the firewall stops working ?
does the vpn tunnels break ?
how do we recreate the cert with hurting the firewall ? we just have only one firewall and now this situation is scary !
Please help !!!!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
-
7
3
10 Comments
If the certificate expires then your VPNs will certainly break but your firewalls should still pass normal traffic.
The following should renew your certificate without having to re-establish SIC:
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f /opt/CPshrd-R55/conf/sic_c
cpstop
cpstart
(It's always good to back everything up before carrying out anything critical!)
The following should renew your certificate without having to re-establish SIC:
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f /opt/CPshrd-R55/conf/sic_c
cpstop
cpstart
(It's always good to back everything up before carrying out anything critical!)
Thanks
does the same command hold good for a windows 2003 server ? sorry i am newbie.
also can you please let me know how do i backup the firewall before I run these commands.
Thanks again
does the same command hold good for a windows 2003 server ? sorry i am newbie.
also can you please let me know how do i backup the firewall before I run these commands.
Thanks again
sorry once again
is it okay to do this from the gui tool ?
if i go to firewall object property sheet and then click on vpn , it shows me the vpn domains as well as the current certificate .
i have options to add , edit , remove the certificate .
Please advise !
is it okay to do this from the gui tool ?
if i go to firewall object property sheet and then click on vpn , it shows me the vpn domains as well as the current certificate .
i have options to add , edit , remove the certificate .
Please advise !
Ok:
The same commands will work for a windows server but you need to modify the path to your p12 certificate file, should be something like the following (but please check by doing a search for sic_cert.p12):
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f C:\Program Files\CheckPoint\CPShared\
cpstop
cpstart
The options in your GUI tool are to do with the VPN cert but I'm assuming the one which is expiring is your internal CA certificate upon which your VPN cert is based. The commands above should renew your current certificate meaning that there will be no disruption to the VPNs.
The same commands will work for a windows server but you need to modify the path to your p12 certificate file, should be something like the following (but please check by doing a search for sic_cert.p12):
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f C:\Program Files\CheckPoint\CPShared\
cpstop
cpstart
The options in your GUI tool are to do with the VPN cert but I'm assuming the one which is expiring is your internal CA certificate upon which your VPN cert is based. The commands above should renew your current certificate meaning that there will be no disruption to the VPNs.
Apologies again for being a pain on this. sorry i am newbie.
InternalCA.p12 is located at F:\FW1\R55\conf
In the vpn properties sheet I see the following details. this one is expiring and have to run this command now.
Under certificate lists
Nickname : defaultCert
Certificate Authority : Internal_ca
Status : Signed
Location : management_server
the internal_CA is installed on the management server (management server is also installed on the same box)
looks like I need to renew this cert but please advise.
the following command i plan to run please correct .thanks
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f F:\FW\\R55\conf\internal_C
cpstop
cpstart
Any tips on backup of firewall before I run the commands ?
PS : sic_cert.p12 is located at C:\Program Files\CheckPoint\CPShared\
InternalCA.p12 is located at F:\FW1\R55\conf
In the vpn properties sheet I see the following details. this one is expiring and have to run this command now.
Under certificate lists
Nickname : defaultCert
Certificate Authority : Internal_ca
Status : Signed
Location : management_server
the internal_CA is installed on the management server (management server is also installed on the same box)
looks like I need to renew this cert but please advise.
the following command i plan to run please correct .thanks
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f F:\FW\\R55\conf\internal_C
cpstop
cpstart
Any tips on backup of firewall before I run the commands ?
PS : sic_cert.p12 is located at C:\Program Files\CheckPoint\CPShared\
cpca_client revoke_cert -n "CN=cp_mgmt"
cpca_client create_cert -n "CN=cp_mgmt" -f C:\Program Files\CheckPoint\CPShared\
cpstop
cpstart
To backup your management server you can back up your windows box. To backup just the Checkpoint config, you can search for the upgrade_export.exe, get a command prompt in that directory and issue the command: "upgrade_export my_export" which will create the file my_export.tgz - move this off the server to a safe place.
cpca_client create_cert -n "CN=cp_mgmt" -f C:\Program Files\CheckPoint\CPShared\
cpstop
cpstart
To backup your management server you can back up your windows box. To backup just the Checkpoint config, you can search for the upgrade_export.exe, get a command prompt in that directory and issue the command: "upgrade_export my_export" which will create the file my_export.tgz - move this off the server to a safe place.
I did the follow steps
1. removed the vpn domains from the vpn community in the vpn property page.
2. removed the defaultCert from the certificates list.
3. Added the new defaultCert and clicked on the generate button .
it created the new cert which is good for next 5 years.
after that i pinged the servers in the site to site tunnel and got a reply.
from home network also the users were able to connect to the vpn server.
i still not restarted the services or the server.
i thank you for the help offered and in future if sic_cert needs to be reinitialized i follow the steps from you
1. removed the vpn domains from the vpn community in the vpn property page.
2. removed the defaultCert from the certificates list.
3. Added the new defaultCert and clicked on the generate button .
it created the new cert which is good for next 5 years.
after that i pinged the servers in the site to site tunnel and got a reply.
from home network also the users were able to connect to the vpn server.
i still not restarted the services or the server.
i thank you for the help offered and in future if sic_cert needs to be reinitialized i follow the steps from you
Featured Post
Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market. Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month13 days, 19 hours left to enroll
801 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.