https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/208371#M3973 <P>Whenever certificates are used, either CRL or OSCP must be used to validate the certificates, regardless of source.<BR />The exact URL that is used to do this (listed in the certificate itself) must be accessible to all parties involved.</P> Mon, 11 Mar 2024 18:03:02 GMT PhoneBoy 2024-03-11T18:03:02Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/207466#M3972 <P>Hello community!</P> <P>I wanted to ask some doubts we are facing during the re-design of remote access service with one customer. The goal is to provide MFA. One factor is RADIUS and working fine, This is a cluster of 2 X 1800 on R81.10.08 centrally managed, mgmt version is R81.20 jumbo 41.&nbsp;</P> <P>For the other factor we are trying certificates. With certs created from the mgmt it works perfectly, but customer needs to use certificates from an existing CA (it is not the AD). The certificates are already deployed on the clients, but when we try to use that cert we get an error certificate invalid on the client, and logs on mgmt show "OCSP: could not connect to server. Make sure the server is up and running."</P> <P>We already have created CA and subCA objects on mgmt, also i can see traffic on port 80 from the gateway to the CA server, i think trying to validate the cert.</P> <P>Is it mandatory to use OSCP to validate certificates from the CA? or we have other options?</P> <P>The cert CN is <A href="mailto:user@domain," target="_blank">username@domain,</A>&nbsp;is there any configuration to make the gateway only reads the username portion?</P> <P>&nbsp;is there anything else we should do on checkpoint side? customer already asked the CA admin to check if OSCP is enabled on the server, but wanted to see if i am missing something.</P> <P>Regards</P> Thu, 29 Feb 2024 12:57:42 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/207466#M3972 RS_Daniel 2024-02-29T12:57:42Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/208371#M3973 <P>Whenever certificates are used, either CRL or OSCP must be used to validate the certificates, regardless of source.<BR />The exact URL that is used to do this (listed in the certificate itself) must be accessible to all parties involved.</P> Mon, 11 Mar 2024 18:03:02 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/208371#M3973 PhoneBoy 2024-03-11T18:03:02Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/211980#M3974 <P>But why is my client trying to validate OCSP now when it did not before? This was being handled by the server.</P> Mon, 22 Apr 2024 17:53:19 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/211980#M3974 rbeck-TMWA 2024-04-22T17:53:19Z https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/211982#M3975 <P>Disregard my last reply</P> Mon, 22 Apr 2024 18:26:52 GMT https://community.checkpoint.com/t5/SASE-and-Remote-Access/External-CA-certificate-authentication/m-p/211982#M3975 rbeck-TMWA 2024-04-22T18:26:52Z