1. Stop the Apache HTTPD2 process:

    [Expert@HostName]# tellpm process:httpd2

2. Backup the file /web/conf/server.key:

    [Expert@HostName]# cp -v /web/conf/server.key{,_ORIGINAL}

3. Backup the file /web/conf/ server.crt:

    [Expert@HostName]# cp -v /web/conf/server.crt{,_ORIGINAL}

4. Remove the old .crt and .key files:

    [Expert@HostName]# rm /web/conf/server.crt

    [Expert@HostName]# rm /web/conf/server.key

5. Generate the Certificate Signing Request

    [Expert@HostName]# cpopenssl req -new -x509 -sha256 -days 3652 -newkey rsa:4096 -nodes -keyout /web/conf/server.key -out /web/conf/server.crt -config $CPDIR/conf/openssl.cnf

6. Start the Apache HTTPD2 process:

    [Expert@HostName]# tellpm process:httpd2 t

Mobile Access Portal

Identity Awareness Portal

DLP Portal

UserCheck Portal

Use this procedure in SmartConsole only if you want to change the RSA key length to 1024-bit or 4096-bit:

1. Go to 'Policy' menu - click 'Global Properties'
2. Go to 'SmartDashboard Customization' or 'Advanced (For R80.x or later)'- click on the 'Configure...' button
3. Go to 'Certificate and PKI Properties' pane
4. In the 'host_certs_key_size' field, select either 2048, or 4096
5. Click 'OK' to apply the changes
6. Follow 'sk31539' to renew the default certificate
7. Install the policy onto involved Security Gateways

• Throughout this procedure, you delete and recreate the ICA on the management server.
• This procedure deletes all certificates from a management server. All certificates need to be regenerated and redistributed. You must establish SIC again with all gateways managed by this management server.
• Therefore:
  • Consult with Check Point support engineers before recreating the CA.
  • Test this in a controlled lab first.
  • Make sure you have good backup (or even a snapshot) for the management server and that this procedure is done during down time.

Use this procedure on the Security Management Server only if you want to change the RSA key length (1024 / 2048 / 4096 bit):

1. Open the $FWDIR/conf/InternalCA.C file. 
2. Add these two lines right after the serial_num_of_digits field:
   :ica_key_size (4096)
:sic_key_size (4096)
   
   Note: Make sure to add TAB before each field name and a single space after each field name.
   
   Example:
   
3. Follow the instructions in sk14532 - "fwm sic_reset" command on Security Management fails with "There are IKE Certificates that were generated by the internal Certificate Authority"

1. Connect to the Internal CA Management Tool on Security Management Server / Domain Management Server.

   For more information about the ICA Management Tool, see sk30501 - Setting up the ICA Management Tool.

2. Change the Client/VPN/User Certificate key size:

   1. In the upper left menu, go to 'Configure the CA'
   2. Go to the 'Key Size Attributes' section
   3. In the 'User Certificate key size' field, enter the desired value (either 1024, 2048 or 4096)
   4. Click on the 'Apply' button at the top of the page
   
   
   
3. Regenerate the Client/VPN/User Certificate.

1. Connect to the Internal CA Management Tool on Security Management Server / Domain Management Server.

   For more information about the ICA Management Tool, see sk30501 - Setting up the ICA Management Tool. 

2. Change the SIC key size:

   1. In the upper left menu, go to 'Configure the CA'
   2. Go to the 'Key Size Attributes' section
   3. In the 'SIC key size' field, enter the desired value (either 1024, 2048 or 4096)
   4. Click on the 'Apply' button at the top of the page
   
   
   
3. Regenerate the SIC certificate