topic Re: Remove Access VPN: Gateway presenting wrong certificate? in SASE and Remote Access

Remove Access VPN: Gateway presenting wrong certificate?

casgrain — Tue, 24 Jan 2023 17:30:57 GMT

Hi,

I've noticed our gateways are presenting the web certificate configured for platform portal/usercheck/saml portal instead of the one under IPSEC VPN.

Am I missing something? From my understanding this is not the expected behavior. I've attached some screenshot in hope it'll help understand my context.

We on R81.10 with hotfix take 81. All clients are version E84 or above.

Re: Remove Access VPN: Gateway presenting wrong certificate?

the_rock — Tue, 24 Jan 2023 18:34:18 GMT

That does not appear right. Let me check it in cusomer's environment and will update you.

Re: Remove Access VPN: Gateway presenting wrong certificate?

the_rock — Tue, 24 Jan 2023 18:48:31 GMT

Question...did you actually end up removing defaultCert that was there? I ask because you can NOT change nickname of a cert, unless new one is created. By the way, checked for another client and they have default cert there and works fine, I deleted their VPN site and created it again and get proper fingerprint. They also use another cert for web UI which is also presented correctly.

Re: Remove Access VPN: Gateway presenting wrong certificate?

casgrain — Tue, 24 Jan 2023 19:07:52 GMT

Yes it was changed a while back, on R77.30 some 4-5 years ago when it expired to what you currently see. I did renew that same cert a few weeks ago since they expired.

Checkpoint support have seen this setting multiple times without mentioning this would be problem so I'm a bit confused...

Re: Remove Access VPN: Gateway presenting wrong certificate?

the_rock — Tue, 24 Jan 2023 19:12:58 GMT

Dont believe its an issue per se, but was more curious.

Re: Remove Access VPN: Gateway presenting wrong certificate?

casgrain — Tue, 21 Mar 2023 16:18:05 GMT

I have the same issue on same version. Any ideas how to resolve this?

Re: Remove Access VPN: Gateway presenting wrong certificate?

the_rock — Tue, 21 Mar 2023 16:25:47 GMT

Whats gw, client version?

Andy

Re: Remove Access VPN: Gateway presenting wrong certificate?

LazarusG — Wed, 03 Jul 2024 16:16:32 GMT

I have similar. Customer had a pen test the highlighted SHA1 in the chain of certs on https://ipadrress:443. So regenerated the ICA cert with sk158096 script. ICA looks to sign with Sha256. So renewed vpn cert and pushed policy but the certificate on the web page doesn't seem to update. They have a saml portal enabled with default cert. GW and MGMT on R81.20. If I do the same process in a lab the cert changes on the web page. Been looking at sk131212, sk94965, sk152713. No idea at moment.

Re: Remove Access VPN: Gateway presenting wrong certificate?

Duane_Toler — Wed, 03 Jul 2024 19:09:14 GMT

If you're just concerned with the fingerprint for the VPN client, then that fingerprint the one of the management server CA, not the gateway's own certificate. This is why the fingerprint doesn't change for the clients just because the gateway's certificate is renewed by the management server. HOWEVER... if you changed your management server certificate, then this WILL change.

I have a script I posted to the Toolbox that can decode it for you:

https://community.checkpoint.com/t5/Scripts/rfc1751-py/m-p/194975#M1130

Get this Python script, and you can run the inline "openssl s_client" command against your gateway which will get you the correct fingerprint you can verify.