https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213642#M40716 <P>I dont think you are missing anything, that sk seems valid for the issue they have. Just curious, does it make any difference if they try private browser window?</P> <P>Andy</P> Wed, 08 May 2024 12:47:22 GMT the_rock 2024-05-08T12:47:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213626#M40714 <P>Hi</P><P>A customer has a requirement to prevent this message from appearing when accessing GAIA.</P><P>I am aware of&nbsp;<SPAN>&nbsp;</SPAN><SPAN class="">sk174383.</SPAN></P><P>However I have explained that this certificate is generated automatically by the system and pragmatically the fact that you trust the Checkpoint ICA, and all certificates signed by it, should be sufficient to mitigate any concerns.</P><P>The customer could generate a CSR and submit to an internal PKI I guess as per&nbsp;<SPAN>sk69660.</SPAN></P><P>But that's quite a lot of work to do per gateway (they have a large estate) and every time the certificate expires.</P><P>The customer also has no internal PKI and I see no reason why they should pay for third party certificates just so a malicious user would trust the certificate chain.</P><P>I also suggested they export the certificate chain and push out by GPO but this will still likely get picked up by external scans and tests.</P><P>So my question is: is there any way to influence the behaviour of the SAN via the built in ICA to avoid this problem going forwards?</P><P>Is this something that is being looked at for upcoming JHF?</P><P>Am I just being dumb and missing something obvious? <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /><BR />Any Input would be appreciated - thanks!</P> Wed, 08 May 2024 11:40:01 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213626#M40714 LazarusG 2024-05-08T11:40:01Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213642#M40716 <P>I dont think you are missing anything, that sk seems valid for the issue they have. Just curious, does it make any difference if they try private browser window?</P> <P>Andy</P> Wed, 08 May 2024 12:47:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213642#M40716 the_rock 2024-05-08T12:47:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213699#M40725 <P>The certificate for the Gaia portal is not generated via the ICA.<BR />There appears to be a procedure to add information to the SAN for the Gaia Portal Certificate in sk97648, but the SK is internal.<BR />Please consult with TAC: <A href="https://help.checkpoint.com" target="_blank" rel="noopener">https://help.checkpoint.com</A>&nbsp;</P> Wed, 08 May 2024 23:03:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213699#M40725 PhoneBoy 2024-05-08T23:03:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213830#M40767 <P>Hi unfortunately not and it seems exporting the ICA cert and importing to the Root Certificate store on the PC doesn't solve the issue (even if the appliance gaia cert is also imported into Personal and the chain is shown as OK in mmc).</P> Fri, 10 May 2024 09:30:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213830#M40767 LazarusG 2024-05-10T09:30:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213832#M40768 <P>Thanks Phone boy, Can I clarify on the signing? I just exported the gateway cert from the Gaia browser and added it to personal store but it was shown as untrusted. I then exported the ICA cert from Smartconsole and imported to root store and now the certificate chain is shown as ok.<BR /><BR />I will maybe engage TAC but if customers will have requirements to address this browser warning it would be good if it was something we could influence easily (or automatically in the system without effort on customer part).</P><P>I just found&nbsp;sk181410 which looks like this would address the issue (?) still seems like a lot of effort for something that 'isn't' broken just to make a browser happy.</P><P>##update although I didn't get this Phoneboy so apologies (I thought the appliance gaia cert was chained)<BR /><SPAN>sk181410</SPAN><BR /><SPAN>"Note - Each Gaia OS has a unique self-signed certificate"</SPAN></P><P><SPAN>##Update again = ok so I was confused, when a firewall is built it has a self signed cert, but if you enable VPN blade and push policy the gai cert becomes the vpn cert - which <U>is</U> signed by the ICA.</SPAN></P><P><SPAN>So it seems we need to follow&nbsp;sk181410 to generate new self signed certs that satisfy the browser CN/SAN requirements - and/or renew the vpn cert with additional criteria?&nbsp;<BR /><BR /></SPAN></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 10 May 2024 16:16:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213832#M40768 LazarusG 2024-05-10T16:16:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213895#M40793 <P>Maybe TAC case is not a bad idea, just to confirm the steps, but sounds logical to me.</P> <P>Andy</P> Sat, 11 May 2024 01:51:00 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/213895#M40793 the_rock 2024-05-11T01:51:00Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/214013#M40851 <P>looks like&nbsp;<SPAN>sk181410 made the mgmt server agreeable to the browser.</SPAN></P><P><SPAN>Then adding the ICA cert and vpn gateway cert to the trusted and personal store made the vpn gateway ok too</SPAN></P> Mon, 13 May 2024 12:02:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/214013#M40851 LazarusG 2024-05-13T12:02:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/214065#M40867 <P><SPAN>sk181410 looks like the correct procedure in this case, yes.</SPAN></P> Mon, 13 May 2024 16:30:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/214065#M40867 PhoneBoy 2024-05-13T16:30:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/214066#M40868 <P>That fixed it?</P> Mon, 13 May 2024 16:39:15 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/NET-ERR-CERT-COMMON-NAME-INVALID-GAIA-Portal/m-p/214066#M40868 the_rock 2024-05-13T16:39:15Z