The ICA Management Tool lets you:
Note - The ICA Management Tool supports TLS.
Check Point ICA is fully compliant with X.509 standards for both certificates and CRLs. See the related X.509 and PKI documentation, and RFC 2459 for more information.
For more information, see:
Use the ICA management tool for user certificate operations only, such as certificate creation. Do not use the ICA management tool to change SIC certificates or VPN certificates. Change SIC and VPN certificates in SmartConsole.
To use the ICA management tool, you must first enable it on the Security Management Server.
The ICA Management Tool is disabled by default.
To enable the ICA Management tool
Run this command on the Security Management Server:
cpca_client [-d] set_mgmt_tool on|off [-p <ca_port>] [-a|-u "administrator|user DN" ... ]
The command options are:
Option |
Description |
---|---|
on |
Starts the ICA Management Tool (by opening port 18265) |
off |
Stops the ICA Management Tool (by closing port 18265) |
-p |
Changes the port used to connect to the CA (if the default port is not being used) |
-a |
Sets the DNs of the administrators that will be allowed to use the ICA Management Tool |
-u |
Sets the DNs of users allowed to use the ICA Management Tool. An option intended for administrators with limited privileges. |
Note - If cpca_client
is run without -a
or -u
parameters, the list of the allowed users and administrators remains unchanged.
To Connect to the ICA Management Tool
https://<Management_Host_Name>:18265
Authenticate when requested.
Item |
Description |
---|---|
1 |
Menu Pane Shows a list of operations |
2 |
Operations Pane Manage certificates. The window divides into Search attributes configuration and Bulk operation configuration. Create Certificates. Configure the CA. Contains configuration parameters You can also view the CA's time, name, and the version and build number of the Security Management Server. Manage CRLs. Download, publish, and recreate CRLs. |
3 |
Search Results Pane. The results of the applied operation show in this pane. This window consists of a table with a list of certificates and certificate attributes. |
Connect to the ICA Management tool using a browser and HTTPS connection.
Important: Before connecting, make sure to add an administrator certificate to the browser's store.
Internally managed User Certificates can be initialized, revoked or have their registrations removed using the ICA Management Tool. User Certificates of users managed on an LDAP server can only be managed using the ICA Management Tool.
This table shows User Certificate attributes that can be configured using the ICA Management Tool
Attributes |
Default |
Configurable |
Comments |
---|---|---|---|
validity |
2 years |
yes |
|
key size |
2048 bits |
yes |
Can be set to 4096 bits |
DN of User certificates managed by the internal database |
CN=user name, OU=users |
no |
This DN is appended to the DN of the ICA |
DN of User certificates managed on an LDAP server |
|
yes |
Depends on LDAP branch |
KeyUsage |
5 |
yes |
Digital signature and Key encipherment |
ExtendedKeyUsage |
0 (no KeyUsage) |
yes |
|
If the user completes the registration from the Remote Access machine, the key size can be configured in the Advanced Configuration page in SmartConsole.
To configure the key size:
The Advanced Configuration window opens.
user_certs_key_size
.You can also change the key size using the GuiDBedit Tool (see sk13009). Change the key size as it is listed in users_certs_key_size Global Property
. The new value is downloaded when you update the site.
The ICA Management Tool can do multiple operations at the same time. For example:
These operations can be done simultaneously:
The ICA Management Tool supports administrators with limited privileges. These administrators cannot execute multiple concurrent operations, and their privileges include only these:
SIC certificates are managed using SmartConsole.
VPN certificates are managed in the VPN page of the corresponding network object. These certificates are issued automatically when the IPSec VPN blade is defined for the Check Point gateway or host. This definition is specified in the General Properties window of the corresponding network object.
If a VPN certificate is revoked, a new one is issued automatically.
The user certificates of users that are managed on the internal database are managed in SmartConsole.
For more information, see User Certificates in the R80.10 Remote Access VPN Administration Guide.
The ICA Management Tool can be configured to send a notification to users about certificate initialization. To send mail notifications
From
" addressTo
' address, which can be used if the users' address is not knownThe administrator can use this address to get the certificates on the user's behalf and forward them later.
For trust purposes, some gateways and remote clients, such as peer gateways that are not managed by the Security Management Server or clients using Clientless VPN, must retrieve the ICA certificate.
To retrieve the ICA Certificate:
Use this format:
http://
<Management Server IP address>:18264
The Certificate Services window opens.
There are two search options:
To do a certificate search:
In the Manage Certificates page, enter the search parameters, and click Search.
In addition to the parameters of the basic search, specify these parameters:
The list also shows all available CRL numbers.
The results of a search show in the Search Results pane. This pane consists of a table with a list of searched certificate attributes such as:
Note - The status bar shows search statistics after each search.
You can view or save the certificate details that show in the search results.
To view and save certificate details:
Click on the DN link in the Search Results pane.
The results show in the Search Results pane.
Note - You can only remove expired or pending certificates.
The mail includes the authorization codes. Messages to users that do not have an email defined are sent to a default address. For more, see Notifying Users about Certificate Initialization.
There are three ways to submit certificate requests to the CA:
To initiate a certificate:
A registration key is created and show in the Results pane.
If necessary, click Send mail to user to email the registration key. The number of characters in the email is limited to 1900.
To generate a certificate:
To create a PKCS#10 certificate:
You can also click on Browse for a file to insert (IE only) to import the request file.
You can initialize a batch of certificates at the same time.
To initialize several certificates simultaneously:
Note - There are two ways to create this file - through an LDAP query or a non-LDAP query.
This file can later be used in a script.
Files created through LDAP Queries
The file initiated by the LDAP search has this format:
mail=
", the string continues with the mail of the userIf no email is given, the email address will be taken from the ICA's "Management Tool Mail To Address" attribute.
not_after
attribute, then the value at the next line is the Certificate Expiration DateThe date is given in seconds from now.
otp_validity
attribute, then the value at the next line is the Registration Key Expiration Date.The date is given in seconds from now.
Here is an example of an LDAP Search output:
|
For more information, see User Directory.
Files created through a Simple Non-LDAP Query
It is possible to create a simple (non-LDAP) query by configuring the DN + email in a file using this format:
|
By default, the CRL is valid for one week. This value can be configured. New CRLs are issued:
It is possible to recreate a specified CRL using the ICA Management Tool. The utility acts as a recovery mechanism in the event that the CRL is deleted or corrupted. An administrator can download a DER encoded version of the CRL using the ICA Management Tool.
CRL Modes
The ICA can issue multiple CRLs. Multiple CRLs prevent one CRL from becoming larger than 10K. If the CRL exceeds 10K, IKE negotiations can fail when trying to open VPN tunnels.
Multiple CRLs are created by attributing each certificate issued to a specified CRL. If revoked, the serial number of the certificate shows in the specified CRL.
The CRL Distribution Point (CRLDP) extension of the certificate contains the URL of the specified CRL. This ensures that the correct CRL is retrieved when the certificate is validated.
You can download, update, or recreate CRLs through the ICA management tool.
To do operations with CRLs:
This operation is done at an interval set by the CRL Duration attribute.
To clean up the CA, you must remove the expired certificates. Before you do that, make sure that the time set on the Security Management Server is correct.
To remove the expired certificates:
In the Menu pane, select Manage CRLs > Clean the CA's Database and CRLs from expired certificates.
To configure the CA:
If the values are valid, the configured settings become immediately effective. All non-valid strings are changed to the default values.
Entering the string Default
in one of the attributes will also reset it to the default after you click Configure. Values that are valid will be changed as requested, and others will change to default values.
The CA data types are:
<number> days <number> seconds,
for example: CRL Duration: 7 days 0 seconds
You can enter the values in the format in which they are displayed (<number> days <number> seconds
) or as a number of seconds.
SIC Key Size: 2048
Enable renewal: true
Management Tool DN prefix: cn=tests
These are the CA attributes, in alphabetical order:
Attribute |
Comment |
Values |
Default |
---|---|---|---|
Authorization Code Length |
The number of characters of the authorization codes. |
min-6 max-12 |
6 |
CRL Duration |
The period of time for which the CRL is valid. |
min-5 minutes max-1 year |
1 week |
Enable Renewal |
For User certificates. This is a Boolean value setting which stipulates whether to enable renewal or not. |
true or false |
true |
Grace Period Before Revocation |
The amount of time the old certificate will remain in Renewed (superseded) state. |
min-0 max-5 years |
1 week |
Grace Period Check Period |
The amount of time between sequential checks of the Renewed (superseded) list in order to revoke those whose duration has passed. |
min-10 minutes max-1 week |
1 day |
IKE Certificate Validity Period |
The amount of time an IKE certificate will be valid. |
min-10 minutes max-20 years |
5 years |
IKE Certificate Extended Key Usage |
Certificate purposes for describing the type of the extended key usage for IKE certificates. Refer to RFC 2459. |
|
means no KeyUsage |
IKE Certificate Key usage |
Certificate purposes for describing the certificate operations. Refer to RFC 2459. |
|
Digital signature and Key encipherment |
Management Tool DN prefix |
Determines the DN prefix of a DN that will be created when entering a user name. |
possible values CN= UID= |
CN= |
Management Tool DN suffix |
Determines the DN suffix of a DN that will be created when entering a user name. |
|
ou=users |
Management Tool Hide Mail Button |
For security reasons the mail sending button after displaying a single certificate can be hidden. |
true or false |
false |
Management Tool Mail Server |
The SMTP server that will be used in order to send registration code mails. It has no default and must be configured in order for the mail sending option to work. |
|
- |
Management Tool Registration Key Validity Period |
The amount of time a registration code is valid when initiated using the Management Tool. |
min-10 minutes max-2 months |
2 weeks |
Management Tool User Certificate Validity Period |
The amount of time that a user certificate is valid when initiated using the Management Tool. |
min-one week max-20 years |
2 years |
Management Tool Mail From Address |
When sending mails this is the email address that will appear in the from field. A report of the mail delivery status will be sent to this address. |
|
- |
Management Tool Mail Subject |
The email subject field. |
|
- |
Management Tool Mail Text Format |
The text that appears in the body of the message. 3 variables can be used in addition to the text:
|
|
Registration Key:
|
Management Tool Mail To address |
When the send mail option is used, the emails to users that have no email address defined will be sent to this address. |
|
- |
Max Certificates Per Distribution Point |
The maximum capacity of a CRL in the new CRL mode. |
min-3 max-400 |
400 |
New CRL Mode |
A Boolean value describing the CRL mode. |
0 for old CRL mode 1 for new mode |
true |
Number of certificates per search page |
The number of certificates that will be displayed in each page of the search window. |
min-1 max-approx 700 |
approx 700 |
Number of Digits for Serial Number |
The number of digits of certificate serial numbers. |
min-5 max-10 |
5 |
Revoke renewed certificates |
This flag determines whether to revoke an old certificate after it has been renewed. The reason for not revoking this is to prevent the CRL from growing each time a certificate is renewed. If the certificate is not revoked the user may have two valid certificates. |
true or false |
true |
SIC Key Size |
The key size in bits of keys used in SIC. |
possible values: 1024 2048 4096 |
2048 |
SIC Certificate Key usage |
Certificate purposes for describing the certificate operations. Refer to RFC 2459. |
|
Digital signature and Key encipherment |
SIC Certificate Validity Period |
The amount of time a SIC certificate will be valid. |
min-10 minutes max-20 years |
5 years |
User Certificate Extended Key Usage |
Certificate purposes for describing the type of the extended key usage for User certificates. Refer to RFC 2459. |
|
means no KeyUsage |
User Certificate Key Size |
The key size in bits of the user's certificates. |
Possible values: 1024 2048 4096 |
2048 |
User Certificate Key usage |
Certificate purposes for describing the certificate operations. Refer to RFC 2459 |
|
Digital signature and Key encipherment
|
Certificates issued by the ICA have a defined validity period. When period ends, the certificate expires.
SIC certificates, VPN certificates for Security Gateways and User certificates can be created in one step in SmartConsole. User certificates can also be created in two steps using SmartConsole or the ICA Management Tool. The two steps are:
The advantages are:
Enhanced security
Pre-issuance automatic and administrator-initiated certificate removal
If a user does not complete the registration procedure in a given period (two weeks by default), the registration code is automatically removed. An administrator can remove the registration key before the user completes the registration procedure. After that, the administrator can revoke the user certificate.
Explicit or Automatic Renewal of User certificates ensuring continuous User connectivity
A user certificate of type PKCS12 can be renewed explicitly by the user. A PKCS12 certificate can also be set to renew automatically when it is about to expire. This renewal operation ensures that the user can continuously connect to the organization's network. The administrator can choose when to set the automatic revoke old user certificates.
One more advantage is:
Automatic renewal of SIC certificates ensuring continuous SIC connectivity
SIC certificates are renewed automatically after 75% of the validity time of the certificate has passed. If, for example, the SIC certificate is valid for five years. After 3.75 years, a new certificate is created and downloaded automatically to the SIC entity. This automatic renewal ensures that the SIC connectivity of the gateway is continuous. The administrator can revoke the old certificate automatically or after a set period of time. By default, the old certificate is revoked one week after certificate renewal.