IKE certificate validity period has changed from 5 years to 1 year by default

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk176527
Technical Level
Product	IPSec VPN, Mobile Access / SSL VPN, Identity Awareness
Version	R80.20 (EOL), R80.30 (EOL), R80.40, R81, R81.10, R81.20
Date Created	30-Nov-2021
Last Modified	23-Nov-2022

Solution

Background:

IKE certificate (or VPN default certificate) is a certificate that the Security Gateway / Cluster Members can use for:

VPN products
Multi-Portal (Mobile Access Portal, Identity Awareness Captive Portal, User Check Portal, and so on)
Gaia Portal with enabled Multi-Portal feature

Description of Changes on Security Gateways / Cluster Members:

The IKE certificate standard validity period decreased from 5 years to 1 year by default.
This means that a certificate is valid for 1 year - in creation and renewal.
The IKE certificate maximum validity period decreased from 20 years to 3 years.

Important - This change applies only to the IKE certificate (Security Gateway default certificate created by Check Point Internal CA).

This change is implemented starting from:

Check Point R81.10
Jumbo Hotfix Accumulator for R81 starting from Take 42
Jumbo Hotfix Accumulator for R80.40 starting from Take 119
Jumbo Hotfix Accumulator for R80.30 starting from Take 237
Jumbo Hotfix Accumulator for R80.20 starting from Take 202
Jumbo Hotfix Accumulator for R80.10 starting from Take 298

This change aligns Check Point products with the top security standards in the Certificate Authority industry, and provides security recommendations for the certificate validity period. A shorter validity period mitigates security risks when a private key is compromised.

To Extend the IKE Certificate Standard Validity Period to 3 Years:

Important: Perform this procedure during a maintenance window because an outage of VPN tunnels may occur.

Connect to the command line on the Management Server.
Log in to the Expert mode.
On the Multi-Domain Security Management Server, go to the content of the Domain Management Server that manages the Security Gateway / Cluster:

mdsenv <IP Address of Name of Domain Management Server>
Configure the IKE certificate standard validity period to 3 years:

cpca_client set_cert_validity -k IKE -y 3
Renew the IKE certificate (for more information, see sk31539):
1. Connect with SmartConsole to the Security Management Server / Domain Management Server that manages the Security Gateway / Cluster.
2. From the left navigation panel, click Gateways & Servers.
3. Open the Security Gateway / Cluster object.
4. From the left tree, click the IPSec VPN pane.
5. Examine the current expiration date:
  1. In the section Repository of Certificates Available on the Gateway, select the certificate.
  2. Click the "View" button.
  3. In the line "Not Valid After", examine the date.
  4. Click the "OK" button.
6. In the section Repository of Certificates Available on the Gateway, select the certificate.
7. Click the "Renew" button.
8. Click the "Yes" button to confirm.
9. In the "Generate Keys and Get Internal CA Certificate" window, click "OK".
10. Click "OK" to close the Security Gateway / Cluster object.
11. Install the Access Control Policy on the Security Gateway / Cluster object.
12. Open the Security Gateway / Cluster object.
13. From the left tree, click the IPSec VPN pane.
14. Examine the current expiration date:
  1. In the section Repository of Certificates Available on the Gateway, select the certificate.
  2. Click the "View" button.
  3. In the line "Not Valid After", examine the date.
  4. Click the "OK" button.
15. Click "OK" to close the Security Gateway / Cluster object.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating