topic Re: Changing the Certificate presented during Endpoint Security Client in SASE and Remote Access

Changing the Certificate presented during Endpoint Security Client

Di_Junior — Fri, 03 Apr 2020 08:09:55 GMT

Good day Mates

We are currently using the Check Point Endpoint Security, and during the Site creation, we are presented with a self-signed certificate. We wish to change that to a certificate signed by a CA.

Any idea on how that could be accomplished? we are using R80.20.

Thanks in advance

Re: Changing the Certificate presented during Endpoint Security Client

PhoneBoy — Mon, 06 Apr 2020 03:50:18 GMT

Why do you wish to change the CA used here exactly?

The key presented is signed by a Certificate Authority: the internal Check Point one.
As it is used for a lot of things (including VPN), the internal CA cannot be removed.
You also cannot replace the internal CA with an external one.

I know for site-to-site VPNs for third parties, you can specify which Certificate Authorities can be used for VPN.
That's done here:

To add a different trusted CA, you need to create an object for it:

Whether that works for Remote Access VPN is a separate question.
Even if you could, I don't believe it changes the end user experience at all (i.e. they'll still get prompted to validate the site certificate when they first connect).

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Mon, 06 Apr 2020 06:06:16 GMT

Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.

You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.

Here an example from my lab:

After completing the CSR, you can choose the certificate under "VPN Client":

But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:

Re: Changing the Certificate presented during Endpoint Security Client

Di_Junior — Mon, 06 Apr 2020 07:27:32 GMT

Hi Norbert
Thanks for your help.
Could you kindly tel me how to generate a CSR in the IPSEC of the gateway?
Thanks once again

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Mon, 06 Apr 2020 07:29:59 GMT

You click add, choose the right CA (has to be imported before), then enter details like DN and SAN.
After clicking ok, you can select the line with the new certificate and click view. Then you see the CSR.
You let your CA sign the CSR and then go back to this menu and click complete and paste the cert.

Re: Changing the Certificate presented during Endpoint Security Client

Di_Junior — Mon, 06 Apr 2020 08:22:06 GMT

Hi Norbet
This is something I have not done before, so please where can I get the CA to be imported? and where is it imported from?
Thanks

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Mon, 06 Apr 2020 08:26:21 GMT

This was already by Phoneboy above.
Just add an object called "Trusted CA" (and Intermediate if you have Sub CAs) and import the certificate of the CA.

Re: Changing the Certificate presented during Endpoint Security Client

Di_Junior — Mon, 06 Apr 2020 08:59:25 GMT

Hi Norbet

I saw it thanks.
One final question, once the certificate is signed by CA, users will no longer get that Certificate Error Message when configuring VPN site right?

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Mon, 06 Apr 2020 09:03:44 GMT

Users who are trusting the relevant CA will not receive a warning...

Re: Changing the Certificate presented during Endpoint Security Client

Di_Junior — Mon, 06 Apr 2020 10:56:14 GMT

Hi Phoneboy
Thanks for your feedback.
Just for knowledge purposes, I would like to know which other things uses this certificate.

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Mon, 06 Apr 2020 10:57:36 GMT

If you only import for IPSEC VPN, it can only be used for VPN and Remote Access.

Re: Changing the Certificate presented during Endpoint Security Client

Di_Junior — Wed, 08 Apr 2020 11:39:27 GMT

Hi Norbert
Thank you very much.

It worked...

Re: Changing the Certificate presented during Endpoint Security Client

GHaider — Wed, 16 Dec 2020 18:20:33 GMT

if you have "mobile access" blade disabled, this setting is ignored, and it always uses the defaultCert from the internal CA...

no way to change the certificate for me... 😞

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Thu, 17 Dec 2020 08:47:03 GMT

It might be that some other cert is used from another https portal.

Enabling one portal, changing certificate there and disabling it, might help.

Re: Changing the Certificate presented during Endpoint Security Client

brunoobr — Mon, 13 Nov 2023 20:19:16 GMT

Hello Nobert!

I came to this forum last year and based on this discussion, I was able to gen a CSR and use a valid third-party certificate in my RA-VPN. Now I need renew my cert and form some reason, I'm getting an erro message that a similar cert is in use. I've tried different methods, but nothing seems to work.

I'm dropping a screenshot with the error for reference. Is there a way to gen a CSR without deleting the actual certificate?

Re: Changing the Certificate presented during Endpoint Security Client

Norbert_Bohusch — Mon, 13 Nov 2023 20:38:47 GMT

You have to delete it.

Just don’t push policy until you complete the procedure.

Re: Changing the Certificate presented during Endpoint Security Client

brunoobr — Mon, 13 Nov 2023 20:40:37 GMT

Ok. Got it. Thanks!

Re: Changing the Certificate presented during Endpoint Security Client

Leon_Noble — Fri, 02 Feb 2024 14:20:56 GMT

Hi Norbert,

Thank you for the above information, this is all very helpful. Silly question time, for the users trusting the relevant subordinate CA and CA, I assume this trust is validated using the respective CA certificates stored in the local machines Trusted Root Certification Authorities and Intermediate Certification Authorities certificate repository?

Then the remote client validates the certificate presented by the Gateway using this chain without prompting the user to trust the new/updated certificate?

Re: Changing the Certificate presented during Endpoint Security Client

PhoneBoy — Thu, 08 Feb 2024 23:19:40 GMT

That's correct to the best of my knowledge.