topic Re: how to import private key in Firewall and Security Management

how to import private key

RioAung — Thu, 25 Aug 2022 00:44:02 GMT

Hi,

i would like to import private key on checkpoint . i am using 5600 security appliance.

My plan is i want to deploy using certificate.I will use third party certificate.

for example , i don't want to generate CSR from checkpoint. i will generate root cert ,private key and certificate for checkpoint by using openssl or other certificate server. This private will help to generate public key and map to VPN.

i will use this certificate for VPN. This process can do on cisco,hp and huwawei.

But i cannot find the reference for checkpoint.

Please let me know how to import private key and how to map this key to VPN certificate point ?

Re: how to import private key

the_rock — Thu, 25 Aug 2022 01:22:27 GMT

Not sure if below may help...

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk170395&partition=Advanced&product=Quantum

Re: how to import private key

delToro1 — Thu, 25 Aug 2022 09:19:24 GMT

Hello RioAung,

I think you can generate the CSR directly from the SGW, after that, you can export it and sign the certificate externally using your prefered method (openssl, any app, or what you want).

Once you have the certificate signed with a third-party CA, not the ICA, you have to complete the procedure and import the certificate, the CRT.

Export the CSR

Import the CRT:

You have to import the 3-Party-CA as Trusted, type OPSEC PKI

Are you going to deploy a Site-to-site certificate based VPN? Check that post:

https://ciberseguridad.blog/check-point-vpn-ipsec-certificated-based/

Best regards!

Re: how to import private key

Gary_Fowler — Tue, 08 Aug 2023 13:02:54 GMT

To my knowledge, checkpoint does not have the ability to import an existing private key, with certificate, into a gateways's IPSec VPN key DB. It would be a simple thing to code, but unfortunately, CheckPoint has not done for reason's I can not fathom.

If you need to use an existing certificate with existing key, then enabling Mobile Access Blade does give you the ability to import a key/cert pair in pkcs12 format.. But it will only be presented by the tcp/443 listener on the gateway; not the IPSec VPN IKE daemon.

Pretty piss poor in my opinion.. again, should be easy to code.. but has never been done.

Maybe someone knows a way to import a private key into a gateway object using CLI commands on the management server.. anyone?

Re: how to import private key

_Val_ — Tue, 08 Aug 2023 15:13:27 GMT

@Gary_Fowler Incorrect. You can use external certificates for anything, IPsec VPN included. Please refer to the admin guide.

Re: how to import private key

DH — Thu, 25 Apr 2024 15:31:03 GMT

I didn't found the point to import existing key to gateway, too. Could you explain how that is possible? I need it for import a wildcard key for VPN client dial-in to authenticate the gateway by themself.