With every Security Policy installation, the Security Management server reviews the certificates held by all the Security Gateways that it manages. The Security Management server generates a report, per Security Gateway, warning about those certificates that will expire within 60 days time from the current date. This functionality is always enabled and the 60 days is a fixed warning period.
Security Policy verification alone will not generate a certificate expiration report. A certificate expiration report is generated whether the Policy installation is initiated from the SmartDashboard, or from the Security Management server's command line.
Check Point recommends to always upgrade to a recent version, and to the most recent HFA (HotFix Accumulator) of this version.
In general, after a Security Policy is installed via SmartDashboard, and if there are any resulting errors or warnings, a button will appear in the bottom, left hand corner of the Installation Process window. The text on the button can be either "Show Errors" (when both errors and warnings are produced) or "Show Warnings" (when only warnings are produced).
With the certificate expiration report feature, after installing the policy, if there are any certificates that expire within the next 60 days for any of the Security Gateways managed by the Security Management server, this button will appear.
- Depending on the type of processing errors encountered, there may be Policy Installation instances, in which no certificate expiration report is generated.
When you press this button, a Verification and Installation Messages table is displayed. The table contains the associated errors and/or warnings generated by the Policy Installation process.
Per Security Gateway (a defined network object), each certificate due to expire within 60 days is listed along with both its Distinguished Name (DN) and expiration date-time (certificate is "not valid after").
When policy installations are initiated from the Security Management server command line, certificate expiration warning messages are displayed on the terminal used to initiate the installation process. Information reported is the same as on the SmartDashboard.
- Certificate expiration warning messages are not recorded in any log by the Security Management server.
- Warnings are generated and presented anew with each Policy installation.
- If, for a given Policy installation, none of the managed Security Gateways have any certificates due to expire within the next 60 days, then no expiration warning messages are produced.
- Currently this is only supported for Security Gateway, and a warning will not appear for Edge devices whose certificate is about to expire.
Steps to renew the certificate:
- Edit the Check Point Gateway Object Properties in SmartDashboard.
- Go to the IPSec VPN tab.
- Under the Repository of Certificates section, click the "Renew" button.
- Click "Yes" to continue.
- Click "OK" to generate Keys and get Internal CA Certificate.
- Click "OK" on the Gateway Properties.
- Install Policy on the gateway.
- Verify the renewal
Steps to verify the renewal:
1. Edit the Check Point Gateway Object Properties in SmartDashboard.
2. Go to the IPSec VPN tab.
3. Under the Repository of Certificates section, click the "View" button.
4. Verify the ‘not after’ date has been extended