https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262254#M1511 <P>Excellent points&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73547">@Lesley</a>&nbsp;</P> Sat, 08 Nov 2025 20:19:26 GMT the_rock 2025-11-08T20:19:26Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262246#M1508 <P>Hello,</P><P>If you don’t want VPN clients to receive warnings every time the server certificate changes, don’t import only the server certificate. Instead, include the root and intermediate certificates within the server certificate itself. You can do this using the command below.</P><P>Assume you have one SubCA:&nbsp;</P><P>cat SubCA.crt rootCA.crt &gt;&gt; fullchain.crt&nbsp;</P><P>cpopenssl pkcs12 -export&nbsp;-inkey private.key&nbsp; -in cert.crt&nbsp; &nbsp;-certfile fullchain.crt&nbsp; &nbsp;-name "myCert"&nbsp; &nbsp;-out mycert.p12</P><P>Import this file into the Mobile Portal. The fingerprint shown will correspond to the Root CA.</P><P>After this, you won’t see any warnings as long as the Root CA remains the same.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 08 Nov 2025 14:22:49 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262246#M1508 Cihat_Bulut 2025-11-08T14:22:49Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262252#M1509 <P>Excellent, thank you for that&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/13382">@Cihat_Bulut</a>&nbsp;</P> Sat, 08 Nov 2025 18:55:07 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262252#M1509 the_rock 2025-11-08T18:55:07Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262253#M1510 <P>Thanks for the tip first of all.</P> <P>Only thing I would like to add if you use a fail chain will give an anchor warning in SSL labs.&nbsp;</P> <DIV class="test-id__field-label-container slds-form-element__label" data-aura-rendered-by="81:181;a"><SPAN class="test-id__field-label" data-aura-rendered-by="82:181;a">Instructions</SPAN> <DIV class="slds-form-element__icon">&nbsp;</DIV> </DIV> <DIV class="slds-form-element__control slds-grid itemBody" data-aura-rendered-by="84:181;a"> <DIV class="slds-rich-text-editor__output uiOutputRichText forceOutputRichText selfServiceOutputRichTextWithSmartLinks" dir="ltr" data-aura-rendered-by="76:181;a" data-aura-class="uiOutputRichText forceOutputRichText selfServiceOutputRichTextWithSmartLinks"> <P data-aura-rendered-by="77:181;a">When scanning through<SPAN>&nbsp;</SPAN><A href="https://www.ssllabs.com/ssltest/" target="_blank" rel="noopener" data-aura-rendered-by="77:181;a">SSL Labs</A>, it shows "Chain issues&nbsp; Contains anchor"<BR data-aura-rendered-by="77:181;a" /><BR data-aura-rendered-by="77:181;a" />It means that you have added Intermediate as well as Root CA, when you only need the Intermediate as the client will already have Root CA (will be already trusted by browser in browser certificate store).</P> It's not an issue in the sense that the anchor is not allowed, but that the extra certificate (which serves no purpose) is increasing the handshake latency.&nbsp; <P data-aura-rendered-by="77:181;a">Because of TCP slow start, the first bytes on a connection are the&nbsp;slowest. Hence, you can&nbsp;minimize the size of the handshake&nbsp;so that HTTP bytes can start flowing as soon as possible. So the issue is not so much "can the extra certificate fit into the initial window" (it most likely can, even with the old setting of 3 network segments), but "what other, more useful, data could we be sending instead".</P> <P data-aura-rendered-by="77:181;a">Also this sk is relevant for fingerprints:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk66263" target="_blank">https://support.checkpoint.com/results/sk/sk66263</A></P> </DIV> </DIV> Sat, 08 Nov 2025 20:04:32 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262253#M1510 Lesley 2025-11-08T20:04:32Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262254#M1511 <P>Excellent points&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73547">@Lesley</a>&nbsp;</P> Sat, 08 Nov 2025 20:19:26 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/Avoid-fingerprint-warning-after-certificate-renewal/m-p/262254#M1511 the_rock 2025-11-08T20:19:26Z