https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/83505#M10564 <P>I have an end customer who wants to be able to deploy machine authentication for clients and username and password but then if they have people using their own PC, they will use the clientless portal (SNX).&nbsp;</P><P>&nbsp;</P><P>Following SK121173, we obtained the hotfix "<SPAN>fw1_wrapper_HOTFIX_R80_20_JHF_T114_469_470_MAIN_GA_FULL</SPAN>" from our local SE.&nbsp;</P><P>&nbsp;</P><P>If I implement the following, we are able to log in with just username and password: -</P><P><EM>ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 1</EM></P><P>&nbsp;</P><P><EM>But if I enforce machine certificate authentication by running&nbsp;ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 2 , it fails.&nbsp;</EM></P><P>At first I was receiving an error stating the CRL could not be fetched. I disabled this by unchecking the option on the trusted CA server object as I wanted to be able to test it working first.&nbsp;</P><P>I now get the following error: -</P><P>"Connection Failed: Machine certificate is required".&nbsp;</P><P>&nbsp;</P><P>I generated a certificate and installed on the client PC but still get the same error message.&nbsp;</P><P>Does the certificate have to be installed in a particular certificate store?</P><P>&nbsp;</P> Tue, 28 Apr 2020 15:53:09 GMT scottikon 2020-04-28T15:53:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/83505#M10564 <P>I have an end customer who wants to be able to deploy machine authentication for clients and username and password but then if they have people using their own PC, they will use the clientless portal (SNX).&nbsp;</P><P>&nbsp;</P><P>Following SK121173, we obtained the hotfix "<SPAN>fw1_wrapper_HOTFIX_R80_20_JHF_T114_469_470_MAIN_GA_FULL</SPAN>" from our local SE.&nbsp;</P><P>&nbsp;</P><P>If I implement the following, we are able to log in with just username and password: -</P><P><EM>ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 1</EM></P><P>&nbsp;</P><P><EM>But if I enforce machine certificate authentication by running&nbsp;ckp_regedit -a SOFTWARE/CheckPoint/VPN1 machine_cert_auth 2 , it fails.&nbsp;</EM></P><P>At first I was receiving an error stating the CRL could not be fetched. I disabled this by unchecking the option on the trusted CA server object as I wanted to be able to test it working first.&nbsp;</P><P>I now get the following error: -</P><P>"Connection Failed: Machine certificate is required".&nbsp;</P><P>&nbsp;</P><P>I generated a certificate and installed on the client PC but still get the same error message.&nbsp;</P><P>Does the certificate have to be installed in a particular certificate store?</P><P>&nbsp;</P> Tue, 28 Apr 2020 15:53:09 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/83505#M10564 scottikon 2020-04-28T15:53:09Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/83518#M10565 Yes, it needs to be a machine certificate from the Windows System Store.<BR />Note that if you have multiple machine certs, we will choose the one with the longest expiration date to authenticate with. Tue, 28 Apr 2020 17:25:06 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/83518#M10565 PhoneBoy 2020-04-28T17:25:06Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/89689#M10566 <P>The issue was resolved by adding the Root CA as a trusted CA server and importing that certificate. The subs wouldn't work. This solution was in collaboration with Check Point R&amp;D.&nbsp;</P><P>&nbsp;</P><P>I have asked for the SK121173 to be updated but doesn't look like it has yet.</P> Wed, 24 Jun 2020 13:24:08 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Machine-certificate-authentication-on-R80-20/m-p/89689#M10566 scottikon 2020-06-24T13:24:08Z