CA Procedures

CA Cleanup

To clean up the CA, you must remove the expired certificates. Before you do that, make sure that the time set on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. is correct.

To remove the expired certificates:

1. Make sure that the time configured on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. is correct (See the R81 Gaia Administration Guide  > System Management chapter > Time section).

2. In the Menu pane, select Manage CRLs > Clean the CA's Database and CRLs from expired certificates.

Automatic removal of expired certificates (Available from R81 Jumbo Hotfix Accumulator Take 42)

• After each restart, all expired certificates are cleaned automatically.

• In addition, an automatic cleaning operation is scheduled to set every 3 weeks, starting from:

  • The first time you turn on the Management Server.

  • Each restart you do on the Management Server.

Configuring the CA

To configure the CA

1. In the Menu pane, select Configure the CA.

2. Edit theCA Data Types and Attributes as necessary.

3. In the Operations pane, select an operation:

   • Apply - Save and enter the CA configuration settings.

     If the values are valid, the configured settings become immediately effective. All non-valid strings are changed to the default values.

   • Cancel - Reset all values to the values in the last saved configuration.

   • Restore Default - Revert the CA to its default configuration settings.

     Entering the string Default in one of the attributes will also reset it to the default after you click Configure. Values that are valid will be changed as requested, and others will change to default values.

CA Data Types and Attributes

The CA data types are:

• Time - displayed in the format: <number> days <number> seconds, for example: CRL Duration: 7 days 0 seconds

  You can enter the values in the format in which they are displayed (<number> days <number> seconds) or as a number of seconds.

• Integer - a regular integer, for example: SIC Key Size: 2048

• Boolean - the values can be true or false (not case sensitive), for example: Enable renewal: true

• String - an alphanumeric string, for example: Management Tool DN prefix: cn=tests

These are the CA attributes, in alphabetical order:

Attribute	Comment	Values	Default
Authorization Code Length	The number of characters of the authorization codes.	min-6 max-12	6
CRL Duration	The period of time for which the CRL is valid.	min-5 minutes max-1 year	1 week
Enable Renewal	For User certificates. This is a Boolean value setting which stipulates whether to enable renewal or not.	true or false	true
Grace Period Before Revocation	The amount of time the old certificate will remain in Renewed (superseded) state.	min-0 max-5 years	1 week
Grace Period Check Period	The amount of time between sequential checks of the Renewed (superseded) list in order to revoke those whose duration has passed.	min-10 minutes max-1 week	1 day
IKE Certificate Validity Period	The amount of time an IKE certificate will be valid.	min - 10 minutes max: 3 years starting from R81Jumbo Hotfix Accumulator Collection of hotfixes combined into a single package. Acronyms: JHA, JHF, JHFA. Take 42 20 years in lower takes and GA	1 year starting from R81Jumbo Hotfix Software package installed on top of the current software version to fix a wrong or undesired behavior, and to add a new behavior. Accumulator Take 42 5 years in lower takes and GA
IKE Certificate Extended Key Usage	Certificate purposes for describing the type of the extended key usage for IKE certificates. Refer to RFC 2459.		means no KeyUsage
IKE Certificate Key usage	Certificate purposes for describing the certificate operations. Refer to RFC 2459.		Digital signature and Key encipherment
Management Tool DN prefix	Determines the DN prefix of a DN that will be created when entering a user name.	possible values CN= UID=	CN=
Management Tool DN suffix	Determines the DN suffix of a DN that will be created when entering a user name.		ou=users
Management Tool Hide Mail Button	For security reasons the mail sending button after displaying a single certificate can be hidden.	true or false	false
Management Tool Mail Server	The SMTP server that will be used in order to send registration code mails. It has no default and must be configured in order for the mail sending option to work.		-
Management Tool Registration Key Validity Period	The amount of time a registration code is valid when initiated using the Management Tool.	min-10 minutes max-2 months	2 weeks
Management Tool User Certificate Validity Period	The amount of time that a user certificate is valid when initiated using the Management Tool.	min-one week max-20 years	2 years
Management Tool Mail From Address	When sending mails this is the email address that will appear in the from field. A report of the mail delivery status will be sent to this address.		-
Management Tool Mail Subject	The email subject field.		-
Management Tool Mail Text Format	The text that appears in the body of the message. 3 variables can be used in addition to the text: $REG_KEY (user's registration key); $EXPIRE (expiration time); $USER (user's DN).		Registration Key: $REG_KEY Expiration: $EXPIRE
Management Tool Mail To address	When the send mail option is used, the emails to users that have no email address defined will be sent to this address.		-
Max Certificates Per Distribution Point	The maximum capacity of a CRL in the new CRL mode.	min-3 max-400	400
New CRL Mode	A Boolean value describing the CRL mode.	0 for old CRL mode 1 for new mode	true
Number of certificates per search page	The number of certificates that will be displayed in each page of the search window.	min-1 max-approx 700	approx 700
Number of Digits for Serial Number	The number of digits of certificate serial numbers.	min-5 max-10	5
Revoke renewed certificates	This flag determines whether to revoke an old certificate after it has been renewed. The reason for not revoking this is to prevent the CRL from growing each time a certificate is renewed. If the certificate is not revoked the user may have two valid certificates.	true or false	true
SIC Key Size	The key size in bits of keys used in SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server..	possible values: 1024 2048 4096	2048
SIC Certificate Key usage	Certificate purposes for describing the certificate operations. Refer to RFC 2459.		Digital signature and Key encipherment
SIC Certificate Validity Period	The amount of time a SIC certificate will be valid.	min-10 minutes max-20 years	5 years
User Certificate Extended Key Usage	Certificate purposes for describing the type of the extended key usage for User certificates. Refer to RFC 2459.		means no KeyUsage
User Certificate Key Size	The key size in bits of the user's certificates.	Possible values: 1024 2048 4096	2048
User Certificate Key usage	Certificate purposes for describing the certificate operations. Refer to RFC 2459		Digital signature and Key encipherment