Procedure
Note: In Management HA configuration, implement the below steps on the Primary Security Management Server / Multi-Domain Management Server.
- Take a backup or snapshot of the machine (sk108902).
- Make sure that the SIC certificate is still valid:
On Security Management Server:
[Expert@HostName]# cpca_client lscert -stat Valid -kind SIC
On Multi-Domain Management Server:
[Expert@HostName]# mdsenv
[Expert@HostName]# cpca_client lscert -stat Valid -kind SIC
If the output does not show a certificate for "CN=cp_mgmt...
", then proceed with the steps below. Verify the CN format. It could be different than what is seen above.
If the output is "Operation failed. rc=-1
" make sure the Management Server is Active as per sk98432.
- Back up the existing certificate:
- For Gaia:
On Security Management Server:
[Expert@HostName]# cp $CPDIR/conf/sic_cert.p12{,_BACKUP}
On Multi-Domain Security Management Server:
[Expert@HostName]# mdsenv
[Expert@HostName]# cp $CPDIR/conf/sic_cert.p12{,_BACKUP}
- For Windows:
- Go to
%CPDIR%\conf\
folder
- Create a copy of
sic_cert.p12
file
- Revoke the current SIC server certificate:
[Expert@HostName]# cpca_client revoke_cert -n "CN=cp_mgmt"
Note: In Management HA, the CN should be same as that present in HKLM_registry. In case the management server was acting as a secondary in the past, the CN would be of the format CN=cp_mgmt_<OBJECT_NAME>
.
To check the CN in registry:
[Expert@HostName]# grep MySICname $CPDIR/registry/HKLM_registry.data
On Security Management Server:
[Expert@HostName]# cpca_client revoke_cert -n "CN=cp_mgmt"
On Multi-Domain Management Server:
[Expert@HostName]# mdsenv
- Create the new SIC server certificate:
On Security Management Server:
[Expert@HostName]# cpca_client create_cert -n "CN=cp_mgmt" -f $CPDIR/conf/sic_cert.p12
On Multi-Domain Security Management Server:
[Expert@HostName]# mdsenv
[Expert@HostName]# cpca_client create_cert -n "CN=cp_mgmt" -f $CPDIR/conf/sic_cert.p12
Note: The certificate name is not a recommendation, it must be sic_cert.p12
- Restart Check Point services:
On Security Management Server:
[Expert@HostName]# cpstop
[Expert@HostName]# cpstart
On Multi-Domain Security Management Server:
[Expert@HostName]# mdsstop
[Expert@HostName]# mdsstart
Note: This step is necessary to update the cache of processes running with the new SIC certificate details. On Multi-Domain Management Server, a full mdsstop is required. It is not enough to just restart the MDS level services with "mdsstop -m".
- Connect to the Security Management Server / Multi-Domain Management Server with SmartConsole.
Important: In case you lose VPN connectivity (IPSec/SSL) and access to the GW's WebIU, renew the vpn certificate also under Gateway Properties > IPSec VPN
Related solutions: