https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210679#M8482 <P>is that cert you used based on the trusted ca? because i believe it must be. Also, it cannot be empty fields in the certname, like *.trusted.company.crt for instance.</P><P>the * needs to be replaced with something, like machineid.trusted.company.crt, if i remember correct.</P><P>&nbsp;</P><P>Br</P><P>&nbsp;</P> Mon, 08 Apr 2024 12:25:55 GMT KM1895 2024-04-08T12:25:55Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208760#M8400 <P>hi,</P><P>&nbsp;</P><P>Im currently assisting a customer with trying to set up machine certification on their windows mobile clients.</P><P>As far as i can tell, i think i have done the correct initial settings:</P><P>&nbsp;</P><P>- added the trusted ca and subordinate ca to smartconsole</P><P>- made sure that they are set to use ldap account unit to retrieve crl</P><P>- set "send machine certificate" to mandatory, on the gateway object</P><P>- configured the basic remote access settings on the gateway</P><P>- int trac.defaults, i see that enable_machine_auth is set to true, but machine_tunnel_afer_logon is still set to false, which we intend to change</P><P>&nbsp;</P><P>What else am i missing, as i only get a "certificate is required" error message when trying to log on to the gateway.</P><P>I have only done this once before, and unfortunately, i cannot recall all the steps i did back then, so any input would be appreciated.</P><P>&nbsp;</P><P>mgmt server is 81.20, while gateway is 81.10.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Mar 2024 12:58:17 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208760#M8400 KM1895 2024-03-14T12:58:17Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208767#M8401 <P>This is what TAC sent us before, but I dont believe we ever followed it, as customer had more pressing issues to deal with.</P> <P>Best,</P> <P>Andy</P> <P>&nbsp;</P> <P><A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Machine-Certificate.htm?Highlight=Machine%20Auth" target="_blank">https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_RemoteAccessVPN_AdminGuide/Topics-VPNRG/Machine-Certificate.htm?Highlight=Machine%20Auth</A></P> Thu, 14 Mar 2024 13:33:51 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208767#M8401 the_rock 2024-03-14T13:33:51Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208770#M8402 <P>hi,</P><P>thanks for the quick reply.</P><P>Have followed this one, and i think i have everything in place...just asked the customer to try again, but have a sneaky feeling something is still not right.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 14 Mar 2024 13:52:25 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208770#M8402 KM1895 2024-03-14T13:52:25Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208771#M8403 <P>Can you send a screenshot of what they see?</P> <P>Andy</P> Thu, 14 Mar 2024 13:54:40 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/208771#M8403 the_rock 2024-03-14T13:54:40Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210672#M8478 <P>attaching the error they receive when trying to log on.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="error.png" style="width: 436px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/25191i21F6845597FAD4A0/image-size/large?v=v2&amp;px=999" role="button" title="error.png" alt="error.png" /></span></P> Mon, 08 Apr 2024 11:59:12 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210672#M8478 KM1895 2024-04-08T11:59:12Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210674#M8479 <P>Thats it, thats EXACTLY what I get in the lab. I dont believe our client get that, but it never prompts them for cert auth to begin with.</P> <P>Andy</P> Mon, 08 Apr 2024 12:17:10 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210674#M8479 the_rock 2024-04-08T12:17:10Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210677#M8480 <P>worst thing is, i have set this up once before, but wasnt much involved in the client setup.</P><P>So, i believe that things are correct set up on the Checkpoint side, but for some strange reason, the certificate, or at least not the correct, certificate is not presented.&nbsp;</P><P>Have asked the customer for a verification of the certificates in the capi store, but here, im a bit on wobbly ground, as this is not something i work with on a daily basis.</P><P>&nbsp;</P><P>Br</P><P>&nbsp;</P> Mon, 08 Apr 2024 12:20:40 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210677#M8480 KM1895 2024-04-08T12:20:40Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210678#M8481 <P>Im sure someone will make me feel real dumb when they say what has to be done to make this work on windows side, but if I can get it work in the lab, happy to do it : - )</P> <P>I googled this so many times to see what Im missing, but not matter what I try, it simply does not work. I even tested with free p12 cert I found online, you set the cert as machine cert in mmc console, no joy.</P> <P>Andy</P> Mon, 08 Apr 2024 12:23:16 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210678#M8481 the_rock 2024-04-08T12:23:16Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210679#M8482 <P>is that cert you used based on the trusted ca? because i believe it must be. Also, it cannot be empty fields in the certname, like *.trusted.company.crt for instance.</P><P>the * needs to be replaced with something, like machineid.trusted.company.crt, if i remember correct.</P><P>&nbsp;</P><P>Br</P><P>&nbsp;</P> Mon, 08 Apr 2024 12:25:55 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210679#M8482 KM1895 2024-04-08T12:25:55Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210680#M8483 <P>I did not do any of that, because its not trusted CA, plus, it asks for p12 certificate, so I generated one from mgmt ICA tool and also tried free one I found online, but its always exact same error you sent, no matter what cert store you place it in.</P> <P>Andy</P> Mon, 08 Apr 2024 12:29:57 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210680#M8483 the_rock 2024-04-08T12:29:57Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210682#M8484 <P>i see.</P><P>&nbsp;</P><P>but as far as i can tell, this error is related to something on the client, rather than checkpoint. So for now, i feel focus my troubleshooting there.</P><P>&nbsp;</P><P>Guess there is not much else to do in trac.defaults, other than setting the tunnel stuff to true.</P><P>&nbsp;</P><P>Br</P><P>&nbsp;</P> Mon, 08 Apr 2024 12:34:37 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210682#M8484 KM1895 2024-04-08T12:34:37Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210686#M8485 <P>I dont think so either, trac.defaults would not have much to do with cert itself, at least specially the machine one.</P> <P>Andy</P> Mon, 08 Apr 2024 12:50:17 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210686#M8485 the_rock 2024-04-08T12:50:17Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210689#M8486 <P>Have you checked out&nbsp;<A href="https://support.checkpoint.com/results/sk/sk175111?" target="_blank">https://support.checkpoint.com/results/sk/sk175111?</A>&nbsp;Had this issue when setting it up in my lab.&nbsp;</P> Mon, 08 Apr 2024 13:00:01 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210689#M8486 Albin 2024-04-08T13:00:01Z https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210691#M8487 <P>Yup, did that on day 1, no joy.</P> <P>Andy</P> Mon, 08 Apr 2024 13:04:58 GMT https://community.checkpoint.com/t5/Endpoint/Machine-Certificate/m-p/210691#M8487 the_rock 2024-04-08T13:04:58Z