topic Re: install a Certificate for IPSec VPN in Firewall and Security Management

install a Certificate for IPSec VPN

Alex_Wu — Tue, 09 Jun 2020 01:35:00 GMT

Hi All,

is it possible to install a public certificate for IPSec VPN without creating TrustCA or CSR?

Supposed that I already have a public certificate vpn.domain.com, I just want install it...

Re: install a Certificate for IPSec VPN

MartinTzvetanov — Wed, 10 Jun 2020 07:40:25 GMT

Yes, use Add to import it.

Re: install a Certificate for IPSec VPN

Alex_Wu — Fri, 12 Jun 2020 08:43:58 GMT

finally, you have to generate CSR if you import it...

i now have a certificate, i just want o replace the default certificate

Re: install a Certificate for IPSec VPN

Yuber_Sierra_av — Tue, 11 Oct 2022 21:42:42 GMT

Hello,

I'm worndering the same as @Alex_Wu, in my case I'm replacing old Cluster to new gateway models, so, I need to import the IPSec VPN Certificate which resides in the SMS, but there is no such option to Import the certificate to the new Cluster. If you click "Add" it takes you to generate the CSR, but I already have the signed certificate, you need to import it.

Thank you.

Re: install a Certificate for IPSec VPN

Yuber_Sierra_av — Tue, 11 Oct 2022 21:44:04 GMT

Hello,

Thank you.

Re: install a Certificate for IPSec VPN

MartinTzvetanov — Wed, 12 Oct 2022 06:24:56 GMT

If you are about to replace the cluster members in an existing cluster, you will only remove the old device from the cluster and initiate SIC with the new member, the policy for the cluster stays the same and the same certificate will be installed on the new device. If you create a new cluster with the new devices you must have the certificate to import it to the new cluster.

Re: install a Certificate for IPSec VPN

Yuber_Sierra_av — Wed, 12 Oct 2022 13:44:31 GMT

I have a new CLuster because new models (6600) vs old models (4800) are different in hardware and software, also

Indeed I have the certificate which I can export form the SMS, but there is no such option to Import the certificate to the new Cluster. If you click "Add" it takes you to generate the CSR, but I already have the signed certificate.

Re: install a Certificate for IPSec VPN

PhoneBoy — Wed, 12 Oct 2022 14:52:01 GMT

If both the old and new gateways are managed by the same management, there is no need to do this as new certificates will be generated and automatically trusted.
Any third party will validate the certificate is valid through the certificate authority.
So I’m not sure why this is necessary.

Re: install a Certificate for IPSec VPN

Yuber_Sierra_av — Wed, 12 Oct 2022 15:43:35 GMT

Hello and thank you for your support.

Yes, both are managed by the same management, but the certificate is from an external CA (Digicert). Let me show you some images for better explanation:

This is the current CLuster which I need to replace, it has the certificate signed by Digicert CA.

Now, this is the new Cluster which I'm preparing for migration, so, I need to ensure it has the same certificate as current Cluster. I know I can export the certificate from the SMS with export_p12 command, but there is not option to import such certificate in the Cluster properties:

If I click "Add" this takes me to generate the CSR, but this process was made in the past whe creating the certificate for the current cluster.

So, my question is whether there is a method to import the certificate directly, or need to make the signing process again.

Thank you in advance for your help.

Re: install a Certificate for IPSec VPN

PhoneBoy — Wed, 12 Oct 2022 19:42:56 GMT

Thanks for the screenshots, this helps a lot.
In this case, you must generate a new certificate via a Certificate Signing Request as we do not support importing private keys for VPN usage.
I suspect we don't allow this to maintain the security of the private key.

Re: install a Certificate for IPSec VPN

cyberluke365 — Thu, 06 Nov 2025 09:34:42 GMT

Hello guys,

I understand this is quite an old topic. However, since 2022 I’ve been wondering if there’s any way to import an already existing SSL certificate for an IPsec VPN on R81.20 - just like it’s possible to do for the Platform Administration Web Portal, UserCheck and Mobile Access portal ?
Is there any supported method or workaround to achieve this?

Re: install a Certificate for IPSec VPN

Duane_Toler — Thu, 06 Nov 2025 15:32:09 GMT

Yes, just follow the same information as listed above. You will have needed to generate the CSR from SmartConsole here, tho, as PhoneBoy noted above. Certificates for the other portals are a separate matter, because they use a different internal infrastructure on the gateways (multiportal), whereas IPsec VPN certificates are the VPN and IKE daemons.

As far as importing arbitrary pre-made certificates, then no, you cannot do that. The certificate information (CN, etc.) needs to match the gateway's own information in order to be used correctly. This what the CSR generation process does for you. Plus, this ensures the private key is stored securely on the management server (and pushed to the gateways).

When you have the completed certificate, you can finish the enrollment with the "Complete" button, which will become available for that certificate.

When the certificate is imported, you can select the certificate within the IPsec VPN configuration for the specific remote VPN gateway peer. Edit the interoperable device peer, select IPsec VPN on the left, and you can choose the match criteria for it.

Re: install a Certificate for IPSec VPN

cyberluke365 — Thu, 06 Nov 2025 23:01:42 GMT

Hello @Duane_Toler,

thank you for your prompt response.

I understand that no changes have been made by Check Point regarding this.
Unfortunately, the current/supported procedure doesn’t apply to my scenario: I’m using a wildcard SSL certificate issued by a public CA. It would have been ideal to use it not only for other portals, but also for client VPNs.

Thank you.

Re: install a Certificate for IPSec VPN

Duane_Toler — Fri, 07 Nov 2025 01:06:08 GMT

Ah. Unfortunately, you can't use a wildcard certificate in this fashion.

Here's the SK article on creating the 3rd party CA and any intermediate CAs, then generating the CSR with that CA:

https://support.checkpoint.com/results/sk/sk149253