topic Re: OpenSSL latest version support for pkcs12 cert creation in Firewall and Security Management

OpenSSL latest version support for pkcs12 cert creation

lolith — Thu, 23 Nov 2023 14:01:20 GMT

Hello,

Recently we hit this SK sk123237- "Failed to import outbound certificate. Check that the certificate's format is suitable and that the correct password has been entered" error when importing inbound certificate for HTTPS Inspection (checkpoint.com)

We have an environment running on both R81.10 and R81.20. The OpenSSL version 3.x.x was released a long time back and most of our systems and machines are running with OpenSSL 3.x.x. So, it becomes really hard to go lower version just to create pkcs12 cert for Checkpoint. Is there any plan to fix this certificate issue with these latest versions of OpenSSL?

Regards,

Lolith

Re: OpenSSL latest version support for pkcs12 cert creation

Tobias_Moritz — Mon, 27 Nov 2023 08:16:54 GMT

While I'm also interested in the answer from CP to your question, I want to offer you are workaround you may not know yet, when you say it becomes really hard to find hosts with legacy openssl versions to create pkcs12 containers which you can load into Check Point products:

Use the openssl v3 parameter -legacy or specify pbe crypto functions manually like -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES to enforce crypto functions which are compatible with openssl v1.

Other options would be creating the pkcs12 file directly on Gaia CLI with cpopenssl or install the OpenSSLv1.1 version next to OpenSSLv3 on your modern linux hosts. On RHEL9 e.g., there is a package called compat-openssl11 for that purpose.

Btw: R81.20 is based on RHEL7 and R82 will be based on RHEL8. OpenSSLv3 was introduced with RHEL9. But GAIA is not a clean RHEL, so CP could bundle OpenSSLv3 with R82 if they want and fix all dependencies. I have no access to R82 EA currently, so I cannot verify if they did already.

Re: OpenSSL latest version support for pkcs12 cert creation

lolith — Mon, 27 Nov 2023 08:28:18 GMT

Hello Tobias,

Thanks for your reply.

We did try with -legacy parameter, but did not work as expected. Was still giving error for some reason.

The other problem is our PKI team is different and we create the PKCS12 cert from our internal CA systems. So, PKI don't have access to our GAIA CLI. Unfortunately, there is quite restricted access in our company.

So as a workaround, we have both V1 and V3 installed and its cumbersome and compliance issue with lower version being running all the time. So, we install v1, create cert and then delete 😞

Permanent fix would always benefit everyone in the involving world I believe.

Regards,

Lolith

Re: OpenSSL latest version support for pkcs12 cert creation

PhoneBoy — Mon, 27 Nov 2023 14:14:35 GMT

When we update OpenSSL, it will most likely be done as part of a major release (R82 or one thereafter).
Unfortunately, I haven't seen R82 code yet to verify if this was done.
In any case, you may need to reach out to your local Check Point office to discuss a possible RFE.

Re: OpenSSL latest version support for pkcs12 cert creation

TRajkumar — Thu, 14 Dec 2023 16:20:48 GMT

Hi Mr.Phoneboy

Hope your are doing well..

I have the issue for creating the certificate for the HTTPS inspection. I followed the article sk165856 and stuck at 6th step.

I unable to convert the certificate to p12 format. I tried the conversion from linux machine and got it, but its from openssl v3. it not supported by the checkpoint. How i proceed this. could you pls guide me for the any other alternate steps.

if i try the conversion on checkpoint, gets "unable to load certificate" message. Can you let me know which version of openssl checkpoint was using.

Thanks

Rajkumar

Re: OpenSSL latest version support for pkcs12 cert creation

PhoneBoy — Fri, 15 Dec 2023 00:31:19 GMT

I don't recall the exact version of OpenSSL we use, but it's a 1.x version.
You can use cpopenssl on a Check Point gateway/management.

Re: OpenSSL latest version support for pkcs12 cert creation

TRajkumar — Fri, 15 Dec 2023 04:29:01 GMT

Yes, i got the version of checkpoint its 1.1.1k. But i faced an error "Unable to load certificates" when converting the signed certificate to p12 format. Any compatibility need to check from CA server side for this lower version of openssl.

Your guidance would be appreciated 🙂

Thanks

Re: OpenSSL latest version support for pkcs12 cert creation

PhoneBoy — Fri, 15 Dec 2023 18:19:20 GMT

Try generating a CSR via the CLI as described here: https://support.checkpoint.com/results/sk/sk165856
Get your CA to sign it and follow the steps.
If it still doesn't work, I suggest a TAC case: https://help.checkpoint.com

Re: OpenSSL latest version support for pkcs12 cert creation

TRajkumar — Sat, 16 Dec 2023 10:46:07 GMT

Hi Everyone,

Just for your knowledge from myside.

I have completed the certifications and activated the HTTPS inspection successfully.

Follow the sk165856, But instead of step 6 i followed the below

1. Get the signed certificate as .CRT format

2.Use a Key file in .key format

3.Run "cpopenssl pkcs12 -export -in inspection-ca.crt -inkey inspection-key.key -out inspection.pfx"

4.After got the certificate in .pfx format, rename it to .p12 format

5.import to smart console.

Hope this helps everyone:)

Thanks

Rajkumar