https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275679#M105001 <P>The PFX of the certificate included the entire chain. We used it on other systems with no issues.</P> Fri, 17 Apr 2026 11:12:43 GMT Jonathan 2026-04-17T11:12:43Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275600#M104977 <P>Hi,</P><P>My question is about changing a 3rd party certificate for the SSLVPN portal.</P><P>I run a R81.20 last take, as a VSX cluster.</P><P>Employees use SSLVPN for remote access, after authentication they click the green "Connect" button to launch the SNX connection in order to use native applications.</P><P>We use a public CA certificate which is set under the "Portal Settings" section in the gateway setting.</P><P>our current certificate was almost expired and the CA issued us a new one, while maintaining the same intermediate and root.</P><P>We already had the root+intermediate certs installed under the TrustedCA page (SmartDashboard &gt; HTTPs inspection &gt; trusted CAs).</P><P>After installing the new certificate the SNX stopped working. We clicked the "Connect" button, the progrees bar showed up and then it just reverted to the "Connect" again.</P><P>I checked the slimsvc.log file on the client and noticed errors regarding certain certificates fingerprints not matched.</P><P>The only thing that solved the issue was to add again the root+intermediate certs to the trustedCAs repository, even though they were identical (now we have a duplicate).</P><P>Furthermoe, the fingerprint that is shown in the CA itself doesn't look nothing like the fingerprint shown in the GUI in the portal setting page. I guess it's a custom Checkpoint fingerprint...</P><P>So, my question is why is this happening? why did I have to install the CAs again? will this happen everytime? is there a table holding the "Real fingerprint" vs. "CP's fingerprint" I can see?</P><P>We're trying to create a scripted automation for changing the portal certificate and we want to understand the flow.</P><P>Thanks</P><P>&nbsp;</P> Thu, 16 Apr 2026 10:11:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275600#M104977 Jonathan 2026-04-16T10:11:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275648#M104987 <P>Did you include the root and intermediate CAs when you imported the renewed certificate?</P> <P>I'm fairly certain what we print on connection is a "human readable hash" per RFC 1751 versus the hexadecimal hash encoded in the cerftificate.<BR />There's a Python script to convert the hexadecimal hash to that readable hash on CheckMates:&nbsp;<A href="https://community.checkpoint.com/t5/Scripts/rfc1751-py/td-p/194975" target="_blank">https://community.checkpoint.com/t5/Scripts/rfc1751-py/td-p/194975</A>&nbsp;</P> Thu, 16 Apr 2026 23:51:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275648#M104987 PhoneBoy 2026-04-16T23:51:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275679#M105001 <P>The PFX of the certificate included the entire chain. We used it on other systems with no issues.</P> Fri, 17 Apr 2026 11:12:43 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SNX-not-working-after-portal-certificate-change/m-p/275679#M105001 Jonathan 2026-04-17T11:12:43Z