topic Re: HTTPS inspection - Create a CSR for outbound certificate for external CA in General Topics

HTTPS inspection - Create a CSR for an external CA to use for the outbound certificate

Emil_T — Thu, 18 Sep 2025 05:13:33 GMT

How can I create a new CSR (Certificate Signing Request) for outbound certificate for external CA ? The CA is a windows CA server.

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Wed, 17 Sep 2025 00:54:24 GMT

Not sure if below steps make 100% sense, but looks okay to me.

Andy

******************

1. Decide Where to Generate the CSR

You can generate the CSR either:

On the Check Point Security Gateway / Management Server (Gaia CLI or SmartConsole)
Externally (Windows/Linux) and then import the signed certificate + private key

Best practice: generate the CSR directly on the Check Point box where the private key will be used, so the key never leaves the device.

2. Generate CSR in Gaia Portal (Easiest)

Log into the Gaia Portal (https://<mgmt_or_gateway_IP>).
Go to:
Device > Certificates > Outgoing Certificates
Click Add > Create Certificate Signing Request (CSR).
Fill in the fields:
- CN (Common Name): typically the FQDN used for outbound TLS (e.g., proxy.company.com)
- O (Organization), OU, L, ST, C as required by your CA policy
- Key length: 2048 or 3072 bits (depending on your CA requirements)
Save/Generate → This will create a .csr file.
Download the CSR file.

3. Submit CSR to Windows CA

On your Windows CA server:

Open Certification Authority MMC.
Right-click the CA → All Tasks → Submit new request.
Or, if using web enrollment, open:
http://<CAserver>/certsrv → Request a certificate → Advanced certificate request → Submit CSR.
Choose the correct certificate template (e.g., Web Server, Subordinate CA, etc., depending on usage).
Submit and download the signed certificate (usually .cer or .p7b).

4. Import Signed Certificate Back into Gaia

Go back to Gaia Portal → Device → Certificates → Outgoing Certificates.
Select your pending CSR request.
Click Import Certificate and upload the .cer (or export from CA as Base64 if needed).
Once imported, the status will change to Valid.

5. (Optional) CLI Method

If you prefer CLI:

Transfer the .csr to your Windows CA, sign it, then bring the .cer back.
Import both .key and .cer into Check Point with cpca_client or via Gaia Portal.

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

emmap — Wed, 17 Sep 2025 01:45:08 GMT

We have it documented here: https://support.checkpoint.com/results/sk/sk165856

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Wed, 17 Sep 2025 01:49:17 GMT

Perfect, even better!

Andy

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

Emil_T — Wed, 17 Sep 2025 18:53:40 GMT

There is no such menu in Gaia GUI: Device > Certificates > Outgoing Certificates

I will try what emmap suggested

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Wed, 17 Sep 2025 18:42:58 GMT

Fair enough, its an official CP documentation anyway.

Andy

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

Emil_T — Thu, 18 Sep 2025 05:01:40 GMT

I followed sk165856, But instead of step 6 i used the method below (since step 6 failed and generated this error: unable to load certificates

-Run "cpopenssl pkcs12 -export -in inspection-ca.cer -inkey inspection-key.pem -out inspection.pfx"

-After got the certificate in .pfx format, rename it to .p12 format

-Import to smart console.

https://community.checkpoint.com/t5/Management/OpenSSL-latest-version-support-for-pkcs12-cert-creation/td-p/198769

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

emmap — Thu, 18 Sep 2025 08:01:45 GMT

OK, you haven't included the rootCA in there, so if you have trust issues from endpoints that are trusting that root CA that might be why. Let us know how you go anyway.

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Thu, 18 Sep 2025 10:05:49 GMT

Maybe it was wrong cert extension?

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

Emil_T — Thu, 18 Sep 2025 15:47:19 GMT

Thx! I'll let you know.

The root-ca is the internal organizational ca, so to the best of my knowledge, every domain member should trust it.

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

Emil_T — Thu, 18 Sep 2025 15:49:51 GMT

I'm not sure. I don't believe file extensions really matter when using openssl

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Thu, 18 Sep 2025 15:49:51 GMT

So, on step 6, since you said thats where it faisl it only gives that error unable to load certificate?

Andy

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Thu, 18 Sep 2025 15:51:09 GMT

I am fairly sure to import it into smart console, it would have to be .p12 extension, but I could be mistaken.

Andy

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

Emil_T — Thu, 18 Sep 2025 15:52:34 GMT

Correct. And seems like I'm not the only one. But with the workaround everything seems to be working. I already made some test and the endpoint can see the certificate that the firewall issues and it is trusted as the root-ca is a trusted CA of the endpoint

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

Emil_T — Thu, 18 Sep 2025 15:54:16 GMT

You are correct. Smart console only looking for p12 file. That's why there is a rename extension step in the workaround I guess.

Re: HTTPS inspection - Create a CSR for outbound certificate for external CA

the_rock — Thu, 18 Sep 2025 15:55:26 GMT

Well, as long as all the relevant certs are included in truster root store on user's PC, then you are good.

I made post about this as well.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139