topic export certificate for ldap user remote access in General Topics

export certificate for ldap user remote access

dkurochkin — Sat, 12 Apr 2025 15:10:14 GMT

Hello team

I'm so sorry for my question

For remote access vpn need auth certificate + password for ldap user

how to export *.p12 file for LDAP user from smartdashboard -> mobile access -> client certifiactes ??

or another way to get *.p12 file for ldap user ??

thx

Re: export certificate for ldap user remote access

the_rock — Sat, 12 Apr 2025 16:59:40 GMT

I know it can be done using ICA mgmt tool, but will check tomorrow using smart console in the lab.

Andy

Re: export certificate for ldap user remote access

the_rock — Sat, 12 Apr 2025 17:35:12 GMT

I totally forgot I upgraded my lab mgmt to R82, but either way, those options are bit different, I cant see anywhere that lets you export the cert from smart console. Maybe someone else can confirm for you.

Andy

Re: export certificate for ldap user remote access

dkurochkin — Sat, 12 Apr 2025 22:23:33 GMT

Thanks for your answer

But how to for ldap user use 2 factor auth with password + certificate ?

Re: export certificate for ldap user remote access

the_rock — Sat, 12 Apr 2025 22:42:39 GMT

I will do some more tests Sunday and let you know.

Andy

Re: export certificate for ldap user remote access

the_rock — Sun, 13 Apr 2025 14:58:40 GMT

Hey, sorry for the delay, will check this later today.

Andy

Re: export certificate for ldap user remote access

the_rock — Sun, 13 Apr 2025 18:58:14 GMT

Im really struggling to find a way to do this from smart console (not even sure if its possible)...

Andy

Re: export certificate for ldap user remote access

dkurochkin — Sun, 13 Apr 2025 23:05:32 GMT

Thanks for your answer

M.b. another way ?

Not by smartconsole?

R81.20

Re: export certificate for ldap user remote access

the_rock — Sun, 13 Apr 2025 23:08:02 GMT

Maybe this?

Andy

https://support.checkpoint.com/results/sk/sk179785

Re: export certificate for ldap user remote access

dkurochkin — Mon, 14 Apr 2025 07:42:31 GMT

way like sk179785 not work in this case

becouse sk179785 get me GW certificate (in smartConsole gw and servers -> gw -> IPSec VPN -> Repository of certificates available to the gateway)

but I'm need p12 file for LDAP user (smartdashboard -> mobile access -> client certifiactes)

need second factor like certificate for remote acces in client for ldap user

how to do it ?

Re: export certificate for ldap user remote access

dkurochkin — Mon, 14 Apr 2025 14:37:22 GMT

vpn client do it (get cert from gw) automatic when enroll cert by first connect

but if in enroll procedure cert wasnt installed, dont now how to export p12 file

need recreate new certificate and its work

thanks

Re: export certificate for ldap user remote access

PhoneBoy — Mon, 14 Apr 2025 16:49:55 GMT

I assume the enrollment process actually generates the certificate on the client itself.
Which means there is nothing to export from the management.

If the enrollment process fails, you will need to issue another enrollment to the user.
If that process continues to fail, please consult with TAC.

Re: export certificate for ldap user remote access

dkurochkin — Tue, 15 Apr 2025 09:05:41 GMT

some about p12 file

smartdashboard -> mobile access -> client certifiactes

after double click on certificate -> windows about p12 file

so p12 file exists, we don't know how to get it

Re: export certificate for ldap user remote access

PhoneBoy — Tue, 15 Apr 2025 13:27:57 GMT

All that means is the management has the user's public key, which is expected.
Without the private key, which is generated and stored only on the client itself, it is not useful to provide an export.
Storing these private certificates centrally presents an unnecessary security risk.

Even in cases where we have to manage a private key (e.g. Site-to-Site VPNs authenticated with certificates), a new certificate can easily be generated as needed.
To maintain security, when a new certificate is generated, the old one is marked as revoked in the CRL.
As such, we do not permit export of certificates after the initial generation.