The ICA Management Tool

The ICA Management Tool lets you:

Manage certificates
Run searches
Recreate CRLs
Configure the ICA
Remove expired certificates

Note - The ICA Management Tool supports TLS.

Check Point ICA is fully compliant with X.509 standards for both certificates and CRLs. See the related X.509 and PKI documentation, and RFC 2459 for more information.

For more information, see:

Using the ICA Management Tool

Use the ICA management tool for user certificate operations only, such as certificate creation. Do not use the ICA management tool to change SIC certificates or VPN certificates. Change SIC and VPN certificates in SmartConsole.

To use the ICA management tool, you must first enable it on the Security Management Server.

Enabling and Connecting to the ICA Management Tool

The ICA Management Tool is disabled by default.

To enable the ICA Management tool

Run this command on the Security Management Server:

cpca_client [-d] set_mgmt_tool on|off [-p <ca_port>] [-a|-u "administrator|user DN" ... ]

The command options are:

Option	Description
on	Starts the ICA Management Tool (by opening port 18265)
off	Stops the ICA Management Tool (by closing port 18265)
-p	Changes the port used to connect to the CA (if the default port is not being used)
-a `"administrator DN" ...`	Sets the DNs of the administrators that will be allowed to use the ICA Management Tool
-u `"user DN" ...`	Sets the DNs of users allowed to use the ICA Management Tool. An option intended for administrators with limited privileges.

Note - If cpca_client is run without -a or -u parameters, the list of the allowed users and administrators remains unchanged.

To Connect to the ICA Management Tool

Add the administrator's certificate to the browser's certificate repository.
Open the ICA Management tool from the browser using this address:
https://<Management_Host_Name>:18265

Authenticate when requested.

The ICA Management Tool GUI

Item	Description
1	Menu Pane Shows a list of operations
2	Operations Pane Manage certificates. The window divides into Search attributes configuration and Bulk operation configuration. Create Certificates. Configure the CA. Contains configuration parameters You can also view the CA's time, name, and the version and build number of the Security Management Server. Manage CRLs. Download, publish, and recreate CRLs.
3	Search Results Pane. The results of the applied operation show in this pane. This window consists of a table with a list of certificates and certificate attributes.

Item

Description

Menu Pane

Shows a list of operations

Operations Pane

Manage certificates. The window divides into Search attributes configuration and Bulk operation configuration.

Create Certificates.

Configure the CA. Contains configuration parameters You can also view the CA's time, name, and the version and build number of the Security Management Server.

Manage CRLs. Download, publish, and recreate CRLs.

Search Results Pane. The results of the applied operation show in this pane. This window consists of a table with a list of certificates and certificate attributes.

Connect to the ICA Management tool using a browser and HTTPS connection.

Important: Before connecting, make sure to add an administrator certificate to the browser's store.

User Certificate Management

Internally managed User Certificates can be initialized, revoked or have their registrations removed using the ICA Management Tool. User Certificates of users managed on an LDAP server can only be managed using the ICA Management Tool.

This table shows User Certificate attributes that can be configured using the ICA Management Tool

Attributes	Default	Configurable	Comments
validity	2 years	yes
key size	2048 bits	yes	Can be set to 4096 bits
DN of User certificates managed by the internal database	CN=user name, OU=users	no	This DN is appended to the DN of the ICA
DN of User certificates managed on an LDAP server		yes	Depends on LDAP branch
KeyUsage	5	yes	Digital signature and Key encipherment
ExtendedKeyUsage	0 (no KeyUsage)	yes

Modifying the Key Size for User Certificates

If the user completes the registration from the Remote Access machine, the key size can be configured in the Advanced Configuration page in SmartConsole.

To configure the key size:

From the Menu, select Global Properties.
Go to Advanced, and in the Advanced Configuration section, click configure.
The Advanced Configuration window opens.
Go to the Certificates and PKI properties page.
Set the new key size for this property: user_certs_key_size.
Click OK.

You can also change the key size using the GuiDBedit Tool (see sk13009). Change the key size as it is listed in users_certs_key_size Global Property. The new value is downloaded when you update the site.

Performing Multiple Simultaneous Operations

The ICA Management Tool can do multiple operations at the same time. For example:

Run an LDAP query for the details of all the organization's employees
Create a file out of this data, and then use this file to:
- Start (initialize) the creation of certificates for all employees
- Send a notification about the new certificates to each of those employees

These operations can be done simultaneously:

Start (initialize) user certificates
Revoke user certificates
Send mail to users
Remove expired certificates
Remove certificates for which the registration procedure was not completed

ICA Administrators with Reduced Privileges

The ICA Management Tool supports administrators with limited privileges. These administrators cannot execute multiple concurrent operations, and their privileges include only these:

Basic searches
Initialization of certificates for new users

Management of SIC Certificates

SIC certificates are managed using SmartConsole.

Management of Gateway VPN Certificates

VPN certificates are managed in the VPN page of the corresponding network object. These certificates are issued automatically when the IPSec VPN blade is defined for the Check Point gateway or host. This definition is specified in the General Properties window of the corresponding network object.

If a VPN certificate is revoked, a new one is issued automatically.

Management of User Certificates in SmartConsole

The user certificates of users that are managed on the internal database are managed in SmartConsole.

For more information, see User Certificates in the R80.10 Remote Access VPN Administration Guide.

Notifying Users about Certificate Initialization

The ICA Management Tool can be configured to send a notification to users about certificate initialization. To send mail notifications

In the Menu pane, click Configure the CA.
In the Management Tool Mail Attributes area, configure:
- The mail server
- The mail "From" address
- An optional 'To' address, which can be used if the users' address is not known
  The administrator can use this address to get the certificates on the user's behalf and forward them later.
Click Apply.

Retrieving the ICA Certificate

For trust purposes, some gateways and remote clients, such as peer gateways that are not managed by the Security Management Server or clients using Clientless VPN, must retrieve the ICA certificate.

To retrieve the ICA Certificate:

Open a browser and enter the applicable URL.
Use this format:

http://<Management Server IP address>:18264

The Certificate Services window opens.
Use the links to download the CA certificate to your computer or (in Windows) install the CA certification path.

Searching for a Certificate

There are two search options:

A basic search that includes only the user name, type, status and the serial number
An advanced search that includes all the search fields (can only be performed by administrators with unlimited privileges)

To do a certificate search:

In the Manage Certificates page, enter the search parameters, and click Search.

Basic Search Parameters

User Name - Username string (by default, this field is empty)
Type - a drop-down list with these options:
- Any (default)
- SIC
- Gateway
- Internal User or LDAP user
Status - Drop-down list with these options:
- Any (default)
- Pending
- Valid
- Revoked
- Expired
- Renewed (superseded)
Serial Number - Serial number of the requested certificate (by default, this field is empty)

Advanced Search Attributes

In addition to the parameters of the basic search, specify these parameters:

Sub DN - DN substring (by default, this field is empty)
Valid From - Date, from which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss] (for example 15-Jan-2003) (by default, this field is empty)
Valid To - Date until which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss] (for example 14-Jan-2003 15:39:26) (by default, this field is empty)
CRL Distribution Point - Drop-down list with these options:
- Any (default)
- No CRL Distribution Point (for certificates issued before the management upgrade - old CRL mode certificates)
The list also shows all available CRL numbers.

The Search Results

The results of a search show in the Search Results pane. This pane consists of a table with a list of searched certificate attributes such as:

(SN) Serial Number - The SN of the certificate
User Name (CN) - The string between the first equals sign ("=") and the next comma (",")
DN
Status - One of these: Pending, Valid, Revoked, Expired, Renewed (superseded)
The date from which certificates are valid until the date they expire

Note - The status bar shows search statistics after each search.

Viewing and Saving Certificate Details

You can view or save the certificate details that show in the search results.

To view and save certificate details:

Click on the DN link in the Search Results pane.

If the status is pending, the certificate information together with the registration key shows, and a log entry is created and shows in SmartConsole > Logs & Monitor > Logs.
If the certificate was already created, you can save it on a disk or open directly (if the operating system recognizes the file extension)

Removing and Revoking Certificates and Sending Email Notifications

In the Menu pane, click Manage Certificates.
Search for certificates with set attributes.
The results show in the Search Results pane.
Select the certificates, as needed, and click one of these options:
- Revoke Selected - revokes the selected certificates and removes pending certificates from the CA's database
- Remove Selected - removes the selected certificates from the CA's database and from the CRL
  Note - You can only remove expired or pending certificates.
- Mail to Selected - sends mail for all selected pending certificates
  The mail includes the authorization codes. Messages to users that do not have an email defined are sent to a default address. For more, see Notifying Users about Certificate Initialization.

Submitting a Certificate Request to the CA

There are three ways to submit certificate requests to the CA:

Initiate - A registration key is created on the CA and used once by a user to create a certificate
Generate - A certificate file is created and associated with a password which must be entered when the certificate is accessed
PKCS#10 - When the CA receives a PKCS#10 request, the certificate is created and delivered to the requester

To initiate a certificate:

In the Menu pane, select Create Certificates > Initiate.
Enter a User Name or Full DN, or click Advanced and fill in the form:
- Certificate Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)
- Registration Key Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)
Click Go.
A registration key is created and show in the Results pane.

If necessary, click Send mail to user to email the registration key. The number of characters in the email is limited to 1900.
The certificate becomes usable after entering the correct registration key.

To generate a certificate:

In the Menu pane, select Create Certificates > Generate.
Enter a User Name or Full DN, or click Advanced and fill in the form:
- Certificate Expiration Date - Select a date or enter the date in the format dd-mm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)
- Registration Key Expiration Date - Select a date or enter the date in the format dd-mm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)
Enter a password.
Click Go.
Save the P12 file, and supply it to the user.

To create a PKCS#10 certificate:

In the Menu pane, select Create Certificates > PKCS#10.
Paste into the space the encrypted base-64 buffer text provided.
You can also click on Browse for a file to insert (IE only) to import the request file.
Click Create and save the created certificate.
Supply the certificate to the requester.

Initializing Multiple Certificates Simultaneously

You can initialize a batch of certificates at the same time.

To initialize several certificates simultaneously:

Create a file with the list of DNs to initialize.
Note - There are two ways to create this file - through an LDAP query or a non-LDAP query.
In the Menu pain, go to Create Certificates > Advanced.
Browse to the file you created.
- To send registration keys to the users, select Send registration keys via email
- To receive a file that lists the initialized DNs with their registration keys, select Save results to file
  This file can later be used in a script.
Click Initiate from file.

Files created through LDAP Queries

The file initiated by the LDAP search has this format:

Each line after a blank line or the first line in the file represents one DN to be initialized
If the line starts with "mail=", the string continues with the mail of the user
If no email is given, the email address will be taken from the ICA's "Management Tool Mail To Address" attribute.
If there is a line with the not_after attribute, then the value at the next line is the Certificate Expiration Date
The date is given in seconds from now.
If there is a line with the is otp_validity attribute, then the value at the next line is the Registration Key Expiration Date.
The date is given in seconds from now.

Here is an example of an LDAP Search output:

not_after
86400
otp_validity
3600
uid=user_1,ou=People,o=intranet,dc=company,dc=com
mail=user_1@company.com
<blank_line>
…
uid=…

For more information, see User Directory.

Files created through a Simple Non-LDAP Query

It is possible to create a simple (non-LDAP) query by configuring the DN + email in a file using this format:

<email address> space <DN>
… blank line as a separator …
<email address> space <DN>

CRL Management

By default, the CRL is valid for one week. This value can be configured. New CRLs are issued:

When approximately 60% of the CRL validity period has passed
Immediately following the revocation of a certificate

It is possible to recreate a specified CRL using the ICA Management Tool. The utility acts as a recovery mechanism in the event that the CRL is deleted or corrupted. An administrator can download a DER encoded version of the CRL using the ICA Management Tool.

CRL Modes

The ICA can issue multiple CRLs. Multiple CRLs prevent one CRL from becoming larger than 10K. If the CRL exceeds 10K, IKE negotiations can fail when trying to open VPN tunnels.

Multiple CRLs are created by attributing each certificate issued to a specified CRL. If revoked, the serial number of the certificate shows in the specified CRL.

The CRL Distribution Point (CRLDP) extension of the certificate contains the URL of the specified CRL. This ensures that the correct CRL is retrieved when the certificate is validated.

CRL Operations

You can download, update, or recreate CRLs through the ICA management tool.

To do operations with CRLs:

In the Menu pane, select Manage CRLs.
From the drop-down box, select one or more CRLs.
Select an action:
- Click Download to download the CRL.
- Click Publish to renew the CRL after changes have been made to the CRL database.
  This operation is done at an interval set by the CRL Duration attribute.
- Click Recreate to recreate the CRL.

CA Cleanup

To clean up the CA, you must remove the expired certificates. Before you do that, make sure that the time set on the Security Management Server is correct.

To remove the expired certificates:

In the Menu pane, select Manage CRLs > Clean the CA's Database and CRLs from expired certificates.

Configuring the CA

To configure the CA:

In the Menu pane, select Configure the CA.
Edit the CA data values as necessary.
In the Operations pane, select an operation:
- Apply - Save and enter the CA configuration settings.
  If the values are valid, the configured settings become immediately effective. All non-valid strings are changed to the default values.
- Cancel - Reset all values to the values in the last saved configuration.
- Restore Default - Revert the CA to its default configuration settings.
  Entering the string Default in one of the attributes will also reset it to the default after you click Configure. Values that are valid will be changed as requested, and others will change to default values.

CA Data Types and Attributes

The CA data types are:

Time - displayed in the format: <number> days <number> seconds, for example: CRL Duration: 7 days 0 seconds
You can enter the values in the format in which they are displayed (<number> days <number> seconds) or as a number of seconds.
Integer - a regular integer, for example: SIC Key Size: 2048
Boolean - the values can be true or false (not case sensitive), for example: Enable renewal: true
String - an alphanumeric string, for example: Management Tool DN prefix: cn=tests

These are the CA attributes, in alphabetical order:

Attribute	Comment	Values	Default
Authorization Code Length	The number of characters of the authorization codes.	min-6 max-12	6
CRL Duration	The period of time for which the CRL is valid.	min-5 minutes max-1 year	1 week
Enable Renewal	For User certificates. This is a Boolean value setting which stipulates whether to enable renewal or not.	true or false	true
Grace Period Before Revocation	The amount of time the old certificate will remain in Renewed (superseded) state.	min-0 max-5 years	1 week
Grace Period Check Period	The amount of time between sequential checks of the Renewed (superseded) list in order to revoke those whose duration has passed.	min-10 minutes max-1 week	1 day
IKE Certificate Validity Period	The amount of time an IKE certificate will be valid.	min-10 minutes max-20 years	5 years
IKE Certificate Extended Key Usage	Certificate purposes for describing the type of the extended key usage for IKE certificates. Refer to RFC 2459.		means no KeyUsage
IKE Certificate Key usage	Certificate purposes for describing the certificate operations. Refer to RFC 2459.		Digital signature and Key encipherment
Management Tool DN prefix	Determines the DN prefix of a DN that will be created when entering a user name.	possible values CN= UID=	CN=
Management Tool DN suffix	Determines the DN suffix of a DN that will be created when entering a user name.		ou=users
Management Tool Hide Mail Button	For security reasons the mail sending button after displaying a single certificate can be hidden.	true or false	false
Management Tool Mail Server	The SMTP server that will be used in order to send registration code mails. It has no default and must be configured in order for the mail sending option to work.		-
Management Tool Registration Key Validity Period	The amount of time a registration code is valid when initiated using the Management Tool.	min-10 minutes max-2 months	2 weeks
Management Tool User Certificate Validity Period	The amount of time that a user certificate is valid when initiated using the Management Tool.	min-one week max-20 years	2 years
Management Tool Mail From Address	When sending mails this is the email address that will appear in the from field. A report of the mail delivery status will be sent to this address.		-
Management Tool Mail Subject	The email subject field.		-
Management Tool Mail Text Format	The text that appears in the body of the message. 3 variables can be used in addition to the text: `$REG_KEY` (user's registration key); `$EXPIRE` (expiration time); `$USER` (user's DN).		Registration Key: `$REG_KEY` `Expiration: $EXPIRE`
Management Tool Mail To address	When the send mail option is used, the emails to users that have no email address defined will be sent to this address.		-
Max Certificates Per Distribution Point	The maximum capacity of a CRL in the new CRL mode.	min-3 max-400	400
New CRL Mode	A Boolean value describing the CRL mode.	0 for old CRL mode 1 for new mode	true
Number of certificates per search page	The number of certificates that will be displayed in each page of the search window.	min-1 max-approx 700	approx 700
Number of Digits for Serial Number	The number of digits of certificate serial numbers.	min-5 max-10	5
Revoke renewed certificates	This flag determines whether to revoke an old certificate after it has been renewed. The reason for not revoking this is to prevent the CRL from growing each time a certificate is renewed. If the certificate is not revoked the user may have two valid certificates.	true or false	true
SIC Key Size	The key size in bits of keys used in SIC.	possible values: 1024 2048 4096	2048
SIC Certificate Key usage	Certificate purposes for describing the certificate operations. Refer to RFC 2459.		Digital signature and Key encipherment
SIC Certificate Validity Period	The amount of time a SIC certificate will be valid.	min-10 minutes max-20 years	5 years
User Certificate Extended Key Usage	Certificate purposes for describing the type of the extended key usage for User certificates. Refer to RFC 2459.		means no KeyUsage
User Certificate Key Size	The key size in bits of the user's certificates.	Possible values: 1024 2048 4096	2048
User Certificate Key usage	Certificate purposes for describing the certificate operations. Refer to RFC 2459		Digital signature and Key encipherment

Certificate Longevity and Statuses

Certificates issued by the ICA have a defined validity period. When period ends, the certificate expires.

SIC certificates, VPN certificates for Security Gateways and User certificates can be created in one step in SmartConsole. User certificates can also be created in two steps using SmartConsole or the ICA Management Tool. The two steps are:

Initialization – during this step a registration code is created for the user. When this is done, the certificate status is pending
Registration – when the user completes the registration procedure in the remote client. After entering the registration code the certificate becomes valid.

The advantages are:

Enhanced security

The private key is created and stored on the user's machine
The certificate issued by the ICA is downloaded securely to the client.

Pre-issuance automatic and administrator-initiated certificate removal

If a user does not complete the registration procedure in a given period (two weeks by default), the registration code is automatically removed. An administrator can remove the registration key before the user completes the registration procedure. After that, the administrator can revoke the user certificate.

Explicit or Automatic Renewal of User certificates ensuring continuous User connectivity

A user certificate of type PKCS12 can be renewed explicitly by the user. A PKCS12 certificate can also be set to renew automatically when it is about to expire. This renewal operation ensures that the user can continuously connect to the organization's network. The administrator can choose when to set the automatic revoke old user certificates.

One more advantage is:

Automatic renewal of SIC certificates ensuring continuous SIC connectivity

SIC certificates are renewed automatically after 75% of the validity time of the certificate has passed. If, for example, the SIC certificate is valid for five years. After 3.75 years, a new certificate is created and downloaded automatically to the SIC entity. This automatic renewal ensures that the SIC connectivity of the gateway is continuous. The administrator can revoke the old certificate automatically or after a set period of time. By default, the old certificate is revoked one week after certificate renewal.