https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208370#M39456 <P>Can you send a screenshot?</P> <P>Andy</P> Mon, 11 Mar 2024 18:01:49 GMT the_rock 2024-03-11T18:01:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208369#M39455 <P>Hello,</P><P>I have two MDS domains,&nbsp; so gateways are managed by a different SMS.</P><P>Between these gateways a vpn site to site is up and running on PSK.</P><P>I want switch from PSK to Certificate issue by Internal CA.</P><P>I imported the "partner" root CA on trusted CA OPSEC PKI server objects.</P><P>Error message, invalid certificate and invalid cookie.</P><P>Verificated root certificates MD5 fingerprints and it is fine.</P><P>What I have missed?</P><P>I found a guide but it is for SMB only.</P><P>&nbsp;</P> Mon, 11 Mar 2024 17:46:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208369#M39455 Ilovecheckpoint 2024-03-11T17:46:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208370#M39456 <P>Can you send a screenshot?</P> <P>Andy</P> Mon, 11 Mar 2024 18:01:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208370#M39456 the_rock 2024-03-11T18:01:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208377#M39459 <P>Hello,</P> <P>On i think you have an externally managed vpn gateway object on each SMS. Di you configure certificate matching criteria on these objects? you should specify the CA the issued the certificate and the DN. Should be done on both sides.</P> <DIV id="tinyMceEditor_60035d1b5f0e66RS_Daniel_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MatchingCriteria.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24809i62D924E3C6163ECE/image-size/medium?v=v2&amp;px=400" role="button" title="MatchingCriteria.png" alt="MatchingCriteria.png" /></span></P> <P> </P> Mon, 11 Mar 2024 18:15:47 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208377#M39459 RS_Daniel 2024-03-11T18:15:47Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208425#M39463 <P>I have selected on each external managed gateways the certificate issue by the other internal domain CA and the DN, but no improvements. I will recheck the configuration and I will run a vpn debug, hoping ikeview will help. Thanks</P> Mon, 11 Mar 2024 21:47:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208425#M39463 Ilovecheckpoint 2024-03-11T21:47:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208891#M39565 <P>I deleted OPSEC PKI and created EXTERNAL CA trust server object and it works, traffic pass into vpn.</P><P>Anyway, the following message appears from time to time: "Certificate defaultCert cannot be validated. Could not retrieve CRL."</P><P>Executed telnet to management ip on port 18264 and it shows as open. Gateway is version 80.20. Any suggestion?</P> Fri, 15 Mar 2024 14:49:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VPN-using-certificates-between-two-different-Checkpoint-domains/m-p/208891#M39565 Ilovecheckpoint 2024-03-15T14:49:24Z