https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56983#M12191 Specifically when you import the root CA key, you need to include as part of the bundle all of the intermediate certificates that might be necessary. Fri, 28 Jun 2019 19:14:15 GMT PhoneBoy 2019-06-28T19:14:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56959#M12188 <P>Hi,</P><P>endpoint-vpn with username/password is working well.</P><P>but with certificate from external ca it isnt working.</P><P>CA and SUBCA are setup as objects. ldap-accountunit is also setup.</P><P>i got the following error:</P><P>&nbsp;</P><P>Time: 2019-06-28T12:52:51Z<BR />Id: d977d512-0972-0000-5d16-0da300000000<BR />Sequencenum: 2147483647<BR />Category: Session<BR />Event Type: Login<BR />Name: Endpoint Security<BR />Version: E81.00<BR />Build Number: 986100516<BR />User: yyy<BR />Authentication Method: Certificate<BR />User DN: CN=xxx,OU=Mitarbeiter,OU=Benutzer,OU=xxx,DC=intern,DC=xxx,DC=de<BR />Certificate Fingerprint: 2f:79:67:2e:99:5b:95:68:83:8d:9c:c6:e3:ea:79:aa:8a:8d:30:69<BR />Certificate Serial Number:74000004294ef08ececf626662000000000429<BR />User Groups: ad_branch_Benutzer<BR />Model: PC<BR />OS Name: Windows<BR />OS Version: 7<BR />OS Edition: Professional<BR />OS Service Pack: Service Pack 1<BR />OS Build: 7601<BR />OS Bits: 64bit<BR />ID: C3DCD549-1354-4D35-A163-81495FDFDDF9<BR />Re-authentication every:<BR />Login Timestamp: 2019-06-28T12:52:51Z<BR />Source Country: Germany<BR />Source: ip<BR />IP: ip<BR />IP Protocol: 6<BR />Destination Port: 443<BR />Data Protocol: IPSec<BR />Status: Failure<BR />Reason: cannot complete certificate chain CN=yyy,OU=Mitarbeiter,OU=Benutzer,OU=xxx,DC=intern,DC=xxx,DC=de<BR />Suppressed Logs: 0<BR />Action: Failed Log In<BR />Type: Log<BR />Blade: Mobile Access<BR />Origin: fw01<BR />Service: TCP/443<BR />Product Family: Access<BR />Marker: @A@@B@1561712292@C@6990655<BR />Index Time: 2019-06-28T12:52:51Z<BR />Lastupdatetime: 1561726371000<BR />Lastupdateseqnum: 2147483647<BR />MAC Address: a0:b3:cc:c2:6e:bc<BR />Stored: true<BR />Name: hostname<BR />Source Machine Name: ag-401-1324<BR />Data Encryption: AES-256 + SHA1 + Group 2<BR />Severity: Informational<BR />Rounded Sent Bytes: 0<BR />Confidence Level: N/A<BR />Rounded Bytes: 0<BR />Rounded Received Bytes: 0<BR />OS: Windows 7 Professional Service Pack 1 64bit (build 7601)<BR />Login Option Factors: Certificate</P><P>&nbsp;</P><P>i think gateway needs certificate from external CA, but i cant import a certificate. creating csr works, but i got error from ca.</P><P>can anyone help, howto create cert for gateway? or is it another problem?</P><P>&nbsp;</P><P>thanks&nbsp;</P><P>daniel</P> Fri, 28 Jun 2019 13:12:01 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56959#M12188 Daniel_Hainich 2019-06-28T13:12:01Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56968#M12189 <P>Have you already imported your trusted ca on the management?</P><P>Once you have a certificate for the security gateway you need to specify wich certificat the vpn client need to use to authenticate in the vpn client gateway tab and then you need to move authentication to personal certificate , if you have a subca you need to import that too</P><P>&nbsp;</P> Fri, 28 Jun 2019 15:09:50 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56968#M12189 Marco_Valenti 2019-06-28T15:09:50Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56977#M12190 Hi, yes ca and subca are successfully Imported. I need Gateway certificate from subca with CSR. But I don't know how I finsh this CSR with Windows-CA. Fri, 28 Jun 2019 17:53:58 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56977#M12190 Daniel_Hainich 2019-06-28T17:53:58Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56983#M12191 Specifically when you import the root CA key, you need to include as part of the bundle all of the intermediate certificates that might be necessary. Fri, 28 Jun 2019 19:14:15 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56983#M12191 PhoneBoy 2019-06-28T19:14:15Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56987#M12192 I have added root-ca and sub-ca as 2 objects in mgmt. Do I have to bundle root and sub cert to add root-ca? Fri, 28 Jun 2019 19:32:00 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56987#M12192 Daniel_Hainich 2019-06-28T19:32:00Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56990#M12193 Both the root and sub-ca need to be bundled and imported as a single object. Fri, 28 Jun 2019 21:07:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/56990#M12193 PhoneBoy 2019-06-28T21:07:32Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/57063#M12194 i have delete root-ca and sub-ca to create a new one.<BR />but now i got error:<BR /><BR />Error: Certificate with the same Distinguished Name already installed for another CA.<BR /><BR />how i can delete the certificate?<BR /><BR />Management is on R80.20 Take 47<BR /><BR />thanks<BR />daniel Mon, 01 Jul 2019 06:27:16 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/57063#M12194 Daniel_Hainich 2019-07-01T06:27:16Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/57192#M12195 <P>i have delete the root-ca and sub-ca, but i did not find the certificates within guidbedit.</P><P>i solved the problem with an reboot of the sms.</P><P>now all "old" certificates are gone and i recreate root-ca with bundled p7b certificate.</P> Tue, 02 Jul 2019 05:57:24 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/57192#M12195 Daniel_Hainich 2019-07-02T05:57:24Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/97231#M12196 <P>Reboot just fixed the issue for me.<BR />I recreated it in a Lab so thought I would add this note for future readers.</P><P>My error was caused by adding Trusted and Sub CA's but discarding them before publishing. So...<BR /><BR />DO NOT ‘Discard Changes’ in SmartConsole until Certs, Trusted and Subordinate CA’s are deleted in the correct order sub/intermediate/root (which you are forced to do anyway), or you will not be able to add the same CA’s until the manager is rebooted.</P><P>i.e. Delete VPN certs. Then Delete Sub. Then Intermediate. Then Root. Then discard changes.</P><P>Or publish the changes, then delete certs and CA's etc, and publish again.</P> Tue, 22 Sep 2020 02:15:43 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Endpoint-VPN-with-ext-CA-cannot-complete-certificate-chain/m-p/97231#M12196 spottex 2020-09-22T02:15:43Z