https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233826#M45273 <P>Do you use a IP-address for the gateway? That's not possible. The wildcard just includes domains. There is not wildcard IP-address certificate. You have to use FQDN.</P> Tue, 26 Nov 2024 14:23:27 GMT Daniel_ 2024-11-26T14:23:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233722#M45236 <P>Hello.&nbsp;</P><P>I'm trying to use a 3rd party wildcard certificate for GAIA portal access to some of our firewalls.&nbsp; A CP engineer and I installed wildcard.key file as server.key and the .crt file as server.crt but the IP was still resolving to the ISP domain name so it was giving a domain mismatch error.&nbsp;</P><P>I got that fixed and now the ip resolves to our domain but the website still shows an error and says that the domains do not match.&nbsp;</P><P>I got a new engineer who says we have to do a CSR for each gateway and cannot use the wildcard certificate.&nbsp;</P><P>Is this the case or were we just not communicating?</P> Mon, 25 Nov 2024 22:07:03 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233722#M45236 AaronPW 2024-11-25T22:07:03Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233728#M45244 <P>As far as I know, this is supported.<BR />Are you accessing the Gaia WebUI by FQDN?</P> Mon, 25 Nov 2024 23:29:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233728#M45244 PhoneBoy 2024-11-25T23:29:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233738#M45250 <P>Im fairly positive you can use wildcard cert, had seen customers do it before.</P> <P>Andy</P> Tue, 26 Nov 2024 03:13:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233738#M45250 the_rock 2024-11-26T03:13:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233826#M45273 <P>Do you use a IP-address for the gateway? That's not possible. The wildcard just includes domains. There is not wildcard IP-address certificate. You have to use FQDN.</P> Tue, 26 Nov 2024 14:23:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/233826#M45273 Daniel_ 2024-11-26T14:23:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/236914#M45936 <P>If you are wanting to change the GAIA portal certificate - you want to use the Platform Portal section of the Gateway Properties to change the certificate. Don't manually change the files at the CLI. I think it is possible to edit the files, then restart the service, but with the multiportal it is easier to do it this way. Just don't forget to install the policy after making the change.<BR /><BR /></P> <DIV id="tinyMceEditor_2fb678d92ea2c1CP_Chris_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditor_2fb678d92ea2c1CP_Chris_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="portal cert.jpg" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29016iFD05A5FC2EAF9364/image-size/large?v=v2&amp;px=999" role="button" title="portal cert.jpg" alt="portal cert.jpg" /></span></P> <P> </P> Thu, 26 Dec 2024 21:12:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/236914#M45936 CP_Chris 2024-12-26T21:12:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/244444#M47568 <P>And when it's in a cluster you use the internal VIP for the FQDN.&nbsp; However, since the VIP FQDN of a member is a different ip then the VIP you still get a warning.&nbsp; Not to mention the standby member...&nbsp; Also, there is no portal platform section on a manager.&nbsp;&nbsp; For the manager you must need to trust the CP ICA to your browsers trusted CAs store.</P> Fri, 21 Mar 2025 15:57:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/244444#M47568 Daniel_Kavan 2025-03-21T15:57:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/245888#M47912 <P>You can use the SAN to create multiple FQDN and IP address matches so a single cert works for the cluster. See&nbsp;<SPAN><A href="https://support.checkpoint.com/results/sk/sk170395" target="_blank">https://support.checkpoint.com/results/sk/sk170395</A>. Note it only shows DNS options for FQDN, but you can also use IP options for IP address in case you go to the portal via IP. Example:<BR /></SPAN></P> <P><SPAN>subjectAltName = <a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/28757">@VPN</a>_names<BR />[vpn_names]<BR />DNS.1 = <A href="http://www.abc.com" target="_blank">www.abc.com</A><BR />DNS.2 = abc.com<BR />DNS.3 = sub.abc.com<BR />DNS.4 = sub2.abc.net<BR />IP.1 = 172.25.105.136<BR />IP.2 = 172.25.105.134</SPAN></P> Mon, 07 Apr 2025 18:00:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-install-a-wildcard-certificate-without-generating-a-CSR/m-p/245888#M47912 CP_Chris 2025-04-07T18:00:33Z