topic How to create a TRUSTED ROOT CA? in Firewall and Security Management

How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Wed, 20 Jun 2018 23:46:33 GMT

Has anyone created a “Trusted Root CA” (root-ca.crt) that is not recognized by the client computer? I followed the guide for this poc to get the cert:

I did change the name (sblast.lab.local) but everything is the same ....when I import it:

The docs states there should not be any issues and look like this:

Any ideas how to resolve it or find another means to get a working “Trusted Root CA"? I also saw SK 113599 but decided to use this doc.

Re: How to create a TRUSTED ROOT CA?

PhoneBoy — Thu, 21 Jun 2018 03:50:58 GMT

Your screenshot for when you imported it doesn't show...it points to Gmail.

You might want to download it and reattach to the above message.

Re: How to create a TRUSTED ROOT CA?

Pedro_Espindola — Thu, 21 Jun 2018 04:08:10 GMT

If you are getting browser errors maybe the problem is with the end certificate, not the root CA certificate.

Your certificate might be missing a subject alternate name or the redirect URL doesn't match the CN or any alternate name.

What does the browser tell you about the error? Hit F12 > Security. It will tell you the exact reason for the error. Share with us.

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 13:20:33 GMT

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 14:03:39 GMT

Hi Pedro. Thanks for the quick reply. That's exactly what I'm thinking and last night spend some time trying to review the steps in the command. It looks like it does read off it too... Here is the actual file (sba_openssl.cnf) that is initially setup. Once I run the commands and generate the cert it ask me for C, ST, O...etc. and I was entering diff info but tried to match them last night but no luck.

I'll look into the area you suggested and follow up.

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 14:15:21 GMT

Here is the error.

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 14:39:43 GMT

Re: How to create a TRUSTED ROOT CA?

Pedro_Espindola — Thu, 21 Jun 2018 14:43:11 GMT

On the browser, hit F12 and go to the "Security" tab to see more details.

Also, open the certificate and check the certification path.

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 15:03:35 GMT

Here is more info.

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 15:10:29 GMT

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 15:15:33 GMT

Here are the exact steps and file.

6.1 Create a CA certificate

(sba_openssl.cnf might be completely omitted if you use FQDN throughout all SBA config steps)

Ignore all warning outputs you get when running the cpopenssl commands 🙂

1) Create /tmp/sba_openssl.cnf (change CN, DNS and IP according to your SB appliance settings) and insert this content:

[ req ]

prompt = no default_bits = 4096

distinguished_name = req_distinguished_name

x509_extensions = req_ext

[ req_distinguished_name ]

C=DE

ST=BY

O=CP

OU=SB

CN=sblast.lab.local

[ req_ext ]

subjectAltName = @alternate_names

[alternate_names]

DNS.1=sblast.lab.local

DNS.2=10.200.75.50

IP.1=10.200.75.50

2) Create CA private key

# cpopenssl genrsa -aes256 –out ca-root.key 2048

3) Create CA certificate

# cpopenssl req -x509 -new -nodes -extensions v3_ca -key ca-root.key -days 1024 -out ca-root.crt -sha512 -config /var/opt/CPshrd-R77/conf/openssl.cnf

Be sure to set the common name to your domain only. Common Name (e.g. server FQDN or YOUR name) []: lab.local

6.2 Create SandBlast UserCheck certificate

1) Create Server private key

# cpopenssl genrsa -out sblast.local.key 4096

2) Create certificate signing request

# cpopenssl req -new -key sblast.lab.local.key -sha512 -subj "/C=DE/ST=BY/O=CheckPoint/CN=sblast.lab.local" -config /tmp/sba_openssl.cnf -out sblast.lab.local.csr

3) Create server public certificate

# cpopenssl x509 -req -in sblast.lab.local.csr -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -extensions req_ext -extfile /tmp/sba_openssl.cnf -out sblast.lab.local.crt -days 365 -sha512

4) Convert server certificate to PKCS#12

# cpopenssl pkcs12 -export -in sblast.lab.local.crt -inkey sblast.lab.local.key -out sblast.lab.local.p12 -certfile ca-root.crt

==============================

NOTE: I think the problem might the "RED" font area.

The two important files are "R7730TE.lab.local.p12" and ca-root.crt. It's the ca-root.crt that I'm installing on my labtop/client.

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Thu, 21 Jun 2018 15:32:38 GMT

Going to try something new... support just told me the following:

Based on the information that is on the case it seems it looks like we are not combining the CA certificate with the server cert. The next step here will be to follow sk69660 which is originally intended for Mobile Access. The steps are the same for UserCheck the only difference will be step 3, you will just have to import the certificate under the UserCheck tab.

I'll follow up on the results after lunch.

Re: How to create a TRUSTED ROOT CA?

Pedro_Espindola — Thu, 21 Jun 2018 19:28:55 GMT

That is correct, the certificate is missing the root CA in the chain. There should be the lab.local certificate above the sblast.lab.local in the certification path.

In step 4, add the option -certfile ca-root.crt

Re: How to create a TRUSTED ROOT CA?

Ed_Gonzalez — Fri, 22 Jun 2018 03:35:17 GMT

Hey Pedro. Thanks your suggestion....it worked! For some reason the work laptop was probably the main issue since it was not working there. But, once I tried the lab computer it worked great! Thanks! Ed

Re: How to create a TRUSTED ROOT CA?

Pedro_Espindola — Fri, 22 Jun 2018 14:24:14 GMT

Great to know, Ed!

Please mark this question as answered if everything is working.

Re: How to create a TRUSTED ROOT CA?

PhoneBoy — Fri, 22 Jun 2018 18:36:58 GMT

FYI I marked Ed Gonzalez‌'s answer correct and added your suggestion to step 4.

Re: How to create a TRUSTED ROOT CA?

Pedro_Espindola — Fri, 22 Jun 2018 21:13:44 GMT

Great! Thanks