topic Re: Import P12 Certificate in SASE and Remote Access

Import P12 Certificate

_Daniel_ — Sun, 24 May 2020 23:41:16 GMT

Hi there,

We're merging a R80.20 into a R80.30 SMS, the number of rules on the R80.20 is low -around 40 rules- so we're doing it via a simple script to create the objects/groups etc. which we don't have any issue with

The R80.20 is managing a single gateway used for remote access, the certificate used on it, is generated by the customer own CA server (we got a trusted root, subordinate and then the certificate).

We did export it using the command export_p12, though how shall we import it into the R80.30 SMS?

Obviously import_p12 command doesn't exist, looked around but couldn't find any leads

Cheers

Ps: we could've re-created the certificate on R80.30 from scratch, but we're trying to avoid the fingerprint warning window upon users trying to connect.

Re: Import P12 Certificate

PhoneBoy — Mon, 25 May 2020 19:58:11 GMT

Pretty sure this is done on the relevant gateway object in SmartConsole.
You may also need to create an OPSEC CA object for the relevant CA as well, requiring the public CA key.

Re: Import P12 Certificate

_Daniel_ — Mon, 25 May 2020 21:33:42 GMT

Thanks Dameon,

We managed to import the Root CA and its subordinate with no issue (click on the trusted certificate --> from OPSEC PKI select Save As.., then on the new SMS create a new Root|Subordinate and clicking on "Get", pointing to the file saved in the previous step.

Though when it comes to the actual certificate (using the Root and Subordinate created above), there isn't a similar approach. Clicking on the gateway properties then IPSec VPN, you only have one choice to use the "Add" button which generates a new CSR file to sign the certificate, no import or get from a p12 file!

Re: Import P12 Certificate

PhoneBoy — Tue, 26 May 2020 15:33:26 GMT

Hm... yeah, you're right, there's no obvious option for this.
Let me check with the experts here.

Re: Import P12 Certificate

ritchiet — Thu, 15 Jul 2021 14:51:42 GMT

Curious as to whether there was a method discovered which allowed the import of a cert/key pair? I too am stuck facing only the option of generating a new CSR when I want to import.

Re: Import P12 Certificate

RamGuy239 — Fri, 16 Jul 2021 10:26:02 GMT

I'm pretty sure this is one of the limitations of using custom certificates for remote access / VPN when not using the mobile access blade. If the mobile access blade is in use you have much better options for adding custom certificates and you should be able to simply import it directly without creating a new csr.