topic Re: Create CSR and Importing third party certificate in Mobile Access Blade in SASE and Remote Access

Create CSR and Importing third party certificate in Mobile Access Blade

Gaurav_Pandya — Wed, 28 Feb 2018 13:07:45 GMT

Hi All,

This is about Creating CSR and importing third party certificate to gateway for Mobile Access Blade. We have already SK69660 but adding snapshot for better idea.

First generate Request to generate certificate (CSR) with below command.

cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnf

Then you can send this *.csr file to third party so that they can create certificate for you.

Third party will give you combined certificate where 3 certificates (Primary SSL, Intermediate & Root) will resides or separate certificates. If you receive separate certificates then you need to combine all certificates in Text Editor as suggested in sk69660. Please make combined file in *.crt format.

Now the final stage is to import certificate in Firewall but before that we need to convert this certificate ext from *.crt to *.P12 You need to use below command for conversion.

cpopenssl pkcs12 -export -out <New file name as P12> -in <Your combined certificate> -inkey <Private key which is generated during CSR>

Now this *.P12 file you need to import in Gateway --> Properties --> Mobile Access --> Portal Setting --> Import the file.

Save & Push policy.

Now when you connect sslvpn (https://Gateway_IP/sslvpn), you will not get any certificate error and you can see certificate that is provided by third party.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Zaw_Hein_Aung — Tue, 15 May 2018 16:46:24 GMT

I am getting a pop up to key-in password, but I didn't set any password on .p12 file. Any idea please?

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Gaurav_Pandya — Wed, 16 May 2018 15:39:01 GMT

I have kept password. If you didn't set password then just keep it blank and enter, it fails then I think you can regenerate the .p12 and keep password.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Zaw_Hein_Aung — Thu, 17 May 2018 03:08:57 GMT

Thanks for the reply, I had tried that too. Received the same "password is incorrect" error regardless the certificate is with or without password.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Gaurav_Pandya — Mon, 21 May 2018 14:13:41 GMT

Hmm. Strange.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Zaw_Hein_Aung — Fri, 25 May 2018 06:33:13 GMT

I've managed to make it work with a workaround. Export the .P12 cert using openssl on windows server and import to CP gateway.

CP tech support is still checking why the cert exported from security gateway is not working.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Gaurav_Pandya — Fri, 25 May 2018 17:13:49 GMT

Ok. Please let us know whatever the result is.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Brian_Kirwan — Mon, 16 Jul 2018 17:09:19 GMT

I had a similar issue importing server certs for https inspection, i found that i needed to use the -passin and -passout options with openssl when creating the p12 or else the import always failed with incorrect password

openssl pkcs12 -export -out website.p12 -inkey website.key -in website.pem -certfile ca-chain.pem -passin pass:privatekeypass -passout pass:privatekeypass

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Alsnator_C — Thu, 23 Aug 2018 02:44:47 GMT

Is there any procedure on how to do it on cluster firewalls?

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Di_Junior — Fri, 28 Sep 2018 16:08:16 GMT

Hi there, I would like to know the same thing. Did you perhaps managed to get it to work in cluster environment.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Vladimir — Fri, 19 Oct 2018 19:08:25 GMT

I am about to do this in a clustered production environment and will try to remember to update this thread. Of note though is that when generating CSR, I had to include "-newkey rsa:2048" in the command:

"openssl req -new -newkey rsa:2048 -nodes -out gw8010.blablabla.com.rsa.csr -keyout gw8010.blablabla.com.rsa.pkey -subj "/C=US/ST=New Jersey/L=Wayne/O=Higher Intelligence LLC/CN=gw8010.blablabla.com"

Else the CA was complaining.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Vladimir — Wed, 24 Oct 2018 19:07:50 GMT

No problem with deployment in the clustered environment.

Just completed it today.

You perform CLI certificate operations on a single cluster member, but import resultant certificate in the SmartConsole in the Cluster Object's properties.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Ilmo_Anttonen — Wed, 15 May 2019 12:21:22 GMT

I started this process last week, creating the CSR and requested the cert. Today when I was going to finish it, I realised that I should have noted the key-file which I used to sign the CSR request. Because I need to re-use that same key now to install the certificate, right?

Question is, what to do if I lost the pw to the .key file?

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Ilmo_Anttonen — Wed, 15 May 2019 14:13:59 GMT

The solution was to just create a new csr.

Now I know I need to save the password for the inkey file.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

AC1 — Tue, 01 Feb 2022 10:19:50 GMT

I recently encountered the same problem when importing a certificate - an error message about an incorrect password. I tried different options with openssl and a banal change in the extension of the certificate file from pfx to p12 helped me.

Re: Create CSR and Importing third party certificate in Mobile Access Blade

shantilalSuthar — Fri, 08 Sep 2023 07:31:35 GMT

Hi,

I am using IPsec for remote access. How do i import the p12 certificate for that ?

Re: Create CSR and Importing third party certificate in Mobile Access Blade

Jerry — Fri, 28 Nov 2025 09:20:16 GMT

hi folks quick one

I'm seeking docs of cpopenssl pkcs12 -import but cannot find anything all over the web.

I need to extract p12 on the shell of another gw but seems cpopenssl does not provide any syntax help on that.

any ideas ?