topic Re: HTTPS certificate creation in Firewall and Security Management

HTTPS certificate creation

Steve_Pearson — Wed, 08 Jan 2025 12:55:44 GMT

I'm in the process of "rebuilding" a system, and one element that I need to re-enable is HTTPS inspection. This was working previously, but has been bypassed for the last several months (by a rule in the policy)

The existing certificate is 5 years old with a 10 year life, and at present is NOT installed on the users machines due to them being rebuilt (and group policy being reset too!), its also created on the management server using the company's name as the issuing authority (www.mycompany,co,uk), but this is a local certificate and nothing to do with the actual real domain by that name. So the cert shows issued by and issued to, both as www.mycompany.co.uk, which is a little confusing for people.

So my thought is to generate a new certificate on the management server, using a more generic or obvious name with a full 10 years on it, then deploy this with via a GPO, however I can't see a way to do this.

I'm assuming that there is a way to do this but so far I've not found anything helpful (everything seems to discuss creating it when you turn on HTTPS inspection, but as it's already on this isn't an option), so I was wondering if anyone could advise me?

Re: HTTPS certificate creation

the_rock — Wed, 08 Jan 2025 13:04:18 GMT

Hey Steve,

I had that happen with customer once and TAC provided below sk to follow.

Andy

https://support.checkpoint.com/results/sk/sk92870

Re: HTTPS certificate creation

AkosBakos — Wed, 08 Jan 2025 13:08:23 GMT

Hi,

If you want to renew the ICA, maybe this sk helps

https://support.checkpoint.com/results/sk/sk158096

Or do you want to make an intermediate (issuer) Ca?

Akos

Re: HTTPS certificate creation

AkosBakos — Wed, 08 Jan 2025 13:43:52 GMT

Hi @Steve_Pearson

If you want to create manually a new cert for eg to your GW maybe you can follow this sk

https://support.checkpoint.com/results/sk/sk30501

After you create the user to access the ICA managament you will see this screen:

Then you will be able to create a new cert as you want.

Akos

Re: HTTPS certificate creation

the_rock — Wed, 08 Jan 2025 14:22:40 GMT

Totally forgot about that, I see I had it set up in my lab as well, great tool!

Andy

Re: HTTPS certificate creation

Lesley — Wed, 08 Jan 2025 14:46:13 GMT

Can be done via Smart Dashboard -> https://support.checkpoint.com/results/sk/sk108641

Or with cpopen ssl on CLI (Check points version of openSSL)

Or any other system with openSSL.

Would do it via SmartDashboard, everything you need to do you can do over there.

My customer did it also that way couple days ago and added to the client and works great.

If something is wrong about the certificate clients will get warning in browser.

Re: HTTPS certificate creation

Steve_Pearson — Thu, 09 Jan 2025 09:29:07 GMT

Hi Andy,

This doesn't mention R81.20, but it does mention R81.10 so I figured that as long as I do a snapshot first it's definitely worth a try!

Worked like a dream, resetting the HTTPS as if it's never been enabled before, and allowed me to create a new certificate which was exactly what was required!

Perfect, thanks!

Steve

Re: HTTPS certificate creation

the_rock — Thu, 09 Jan 2025 12:06:52 GMT

Great job! Glad we can help.

Andy