https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258437#M50686 <P>Hello,<BR />I’m looking to set up a VPN tunnel using certificate-based authentication, and I have a question regarding how to implement a multi-level trust chain on an SMS (R81-20).<BR />Currently, each party shares its public certificate chain for authentication. For a two-level structure (Root CA &gt; Sub CA), the Root CA certificate is registered in the SMS as a Trusted CA, and the Sub CA certificate is registered as a Subordinate CA:</P><P>Trusted Root CA &gt; Subordinate Sub CA</P><P>However, what is the correct process when there is a third level or more (e.g., Root CA &gt; Sub CA &gt; Sub-Sub CA)?<BR />Registering both the Sub CA and Sub-Sub CA as subordinate CAs in the SMS leads to incorrect interpretation:</P><P>Trusted Root CA &gt; Subordinate Sub CA<BR />Trusted Root CA &gt; Subordinate Sub-Sub CA</P><P>Alternatively, registering the Sub CA as both a Trusted CA and a Subordinate CA results in this interpretation:</P><P>Trusted Root CA &gt; Nothing<BR />Trusted Sub CA &gt; Subordinate Sub CA<BR />Trusted Sub CA &gt; Subordinate Sub-Sub CA</P><P>In both cases, the SMS does not correctly interpret the full chain as:</P><P>Root CA certifies for Sub CA which certifies for Sub-Sub CA</P><P>Would you have a clue on the correct procedure for configuring a multi-level certificate trust chain in the SMS?<BR />Thank you in advance.</P> Mon, 29 Sep 2025 09:33:23 GMT Benjamin133030 2025-09-29T09:33:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258437#M50686 <P>Hello,<BR />I’m looking to set up a VPN tunnel using certificate-based authentication, and I have a question regarding how to implement a multi-level trust chain on an SMS (R81-20).<BR />Currently, each party shares its public certificate chain for authentication. For a two-level structure (Root CA &gt; Sub CA), the Root CA certificate is registered in the SMS as a Trusted CA, and the Sub CA certificate is registered as a Subordinate CA:</P><P>Trusted Root CA &gt; Subordinate Sub CA</P><P>However, what is the correct process when there is a third level or more (e.g., Root CA &gt; Sub CA &gt; Sub-Sub CA)?<BR />Registering both the Sub CA and Sub-Sub CA as subordinate CAs in the SMS leads to incorrect interpretation:</P><P>Trusted Root CA &gt; Subordinate Sub CA<BR />Trusted Root CA &gt; Subordinate Sub-Sub CA</P><P>Alternatively, registering the Sub CA as both a Trusted CA and a Subordinate CA results in this interpretation:</P><P>Trusted Root CA &gt; Nothing<BR />Trusted Sub CA &gt; Subordinate Sub CA<BR />Trusted Sub CA &gt; Subordinate Sub-Sub CA</P><P>In both cases, the SMS does not correctly interpret the full chain as:</P><P>Root CA certifies for Sub CA which certifies for Sub-Sub CA</P><P>Would you have a clue on the correct procedure for configuring a multi-level certificate trust chain in the SMS?<BR />Thank you in advance.</P> Mon, 29 Sep 2025 09:33:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258437#M50686 Benjamin133030 2025-09-29T09:33:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258446#M50691 <P>Did you try setting the root CA as well?</P> Mon, 29 Sep 2025 11:28:41 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258446#M50691 _Val_ 2025-09-29T11:28:41Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258450#M50692 <P>Yes, for both tests, the root CA was registered as Trusted CA on the SMS.</P><P>Test 1: We have Root CA as Trusted CA, Sub CA and Sub-Sub CA registered as Subordinate.</P><P>Test 2:&nbsp;We have Root CA as Trusted CA, Sub CA both as Trusted CA and Subordinate CA and Sub-Sub CA only registered as Subordinate</P><P>Below is how the trust chain is perceived by the SMS afterward:</P><P><SPAN>Test 1:<BR />Trusted Root CA &gt; Subordinate Sub CA</SPAN><BR /><SPAN>Trusted Root CA &gt; Subordinate Sub-Sub CA</SPAN></P><P>Test 2:<BR /><SPAN>Trusted Root CA &gt; Nothing</SPAN><BR /><SPAN>Trusted Sub CA &gt; Subordinate Sub CA</SPAN><BR /><SPAN>Trusted Sub CA &gt; Subordinate Sub-Sub CA</SPAN></P><P><SPAN>&gt; : is Trusted CA for (chosen automatically by the SMS)</SPAN></P><P>&nbsp;</P> Mon, 29 Sep 2025 11:59:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258450#M50692 Benjamin133030 2025-09-29T11:59:46Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258509#M50699 <P>If it's not a Root CA you're importing, you should put the entire certificate chain in there (root and all subordinates).<BR />This applies if it's a Sub Sub CA as well, as far as I know.</P> Tue, 30 Sep 2025 00:20:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPSec-VPN-Multiple-level-chain-of-trust-certificate/m-p/258509#M50699 PhoneBoy 2025-09-30T00:20:49Z