Certificate Longevity and Statuses
Certificates issued by the ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. have a defined validity period. When period ends, the certificate expires.
SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificates, VPN certificates for Security Gateways and User certificates can be created in one step in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.. User certificates can also be created in two steps using SmartConsole or the ICA Management Tool. The two steps are:
-
Initialization - during this step a registration code is created for the user. When this is done, the certificate status is pending
-
Registration - when the user completes the registration procedure in the remote client. After entering the registration code the certificate becomes valid.
The advantages are:
Enhanced security
-
The private key is created and stored on the user's machine
-
The certificate issued by the ICA is downloaded securely to the client.
Pre-issuance automatic and administrator-initiated certificate removal
If a user does not complete the registration procedure in a given period (two weeks by default), the registration code is automatically removed. An administrator can remove the registration key before the user completes the registration procedure. After that, the administrator can revoke the user certificate.
Explicit or Automatic Renewal of User certificates ensuring continuous User connectivity
A user certificate of type PKCS12 can be renewed explicitly by the user. A PKCS12 certificate can also be set to renew automatically when it is about to expire. This renewal operation ensures that the user can continuously connect to the organization's network. The administrator can choose when to set the automatic revoke old user certificates.
One more advantage is:
Automatic renewal of SIC certificates ensuring continuous SIC connectivity
SIC certificates are renewed automatically after 75% of the validity time of the certificate has passed. If, for example, the SIC certificate is valid for five years. After 3.75 years, a new certificate is created and downloaded automatically to the SIC entity. This automatic renewal ensures that the SIC connectivity of the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. is continuous. The administrator can revoke the old certificate automatically or after a set period of time. By default, the old certificate is revoked one week after certificate renewal.