topic Re: SSL Certificate in SASE and Remote Access

SSL Certificate

Sergo89 — Tue, 08 Feb 2022 18:14:33 GMT

Hello,

My main question, how to reach Rating A on ssllabs.com? My certificate chain is broken. And i have no idea how to fix it.

Actually CheckPoint's SSL certificates are not clear for me. First of all - three location, first one - IPSec VPN (we can generate CSR with proper SSL Chain - Root/intermediate/Cert itself), second location - Mobile Access/Portal Settings, third - VPN Clients/SAML Portal.

When i installed self-signed certificate into first location (IPSec VPN) and/or Mobile Access i was getting error. Third location (SAML) i guess not alive anymore. Which one using for Endpoint VPN client? i though Mobile is for Phones and IPSec like for legacy windows VPN clients. Is it right?

My certificate expired and i have to update it, when i did it first time, two years ago, version 80.30 didnt support wild card certificates, and i generated certificate from IPSec VPN and next used openssl magic for conversion to PFX format and next installed it to Mobile access portal. But i dont remember how i did it, and checkpoint support guy said - its wrong and need two certificates. How it works in this case? for example vpn.contoso.com for IPSec and vpnssl.contoso.com for mobile? i think i will see error

same time i have DR firewall, and i generated one certificate from IPSec VPN, and it works fine, my Endpoint Client ignores Mobile Portal and use right certificate (and it has rating A, because certificate chain is ok).

Could explain how it works and how to configure it properly?

thanks

Re: SSL Certificate

HeikoAnkenbrand — Tue, 08 Feb 2022 19:10:14 GMT

Hi @Sergo89,

Here are some tips and sk's about the certificates.

Mobile Access Certificate

The Security Gateway does not have a server certificate that is signed by a trusted 3rd party. Make sure that the server certificate of the Mobile Access gateway is signed by a trusted 3rd party Certification Authority (for example, EnTrust, VeriSign). The 3rd party certificate must replace the self-signed (ICA) certificate.

Note: if you receive a .pfx file, rename the file extension from .pfx to .p12

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to Mobile Access Blade

GAIA Portal Certificate

See sk97648:
How to create and set certificate for Gaia Portal
or sk116462 for old firewalls:
How to Install P7b format 3rd-party signed certificate on Gaia Portal without Multiportal feature

Internal CA Certificate

sk158096: How to renew an Internal Certificate Authority (ICA) certificate

VPN Certificate

See R8x.x VPN admin guide chapter PKI:
R81.10 Site to Site VPN Administration Guide - PKI

Re: SSL Certificate

Sergo89 — Tue, 08 Feb 2022 18:57:11 GMT

Thanks Heiko, but what do you mean "server certificate"? IPSec or Mobile, and yes i know how to create mobile certificate, but it will be two different certificates with different names. and which one Endpoint client uses? right now it shows me Mobile certificate (wildcard)

Re: SSL Certificate

HeikoAnkenbrand — Tue, 08 Feb 2022 19:38:26 GMT

Then I still do not understand your question 100%.

>>> and which one Endpoint client uses?

With the VPN client, it depends on which one you install:

Endpoint Security VPN -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

Check Point Mobile -> Uses the Mobile Access blade SSL certificate

Re: SSL Certificate

Sergo89 — Tue, 08 Feb 2022 20:08:46 GMT

Its Endpoint VPN, full bundle with AV.

Endpoint Security VPN -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

its mean - IPSec VPN cert?

Re: SSL Certificate

HeikoAnkenbrand — Wed, 09 Feb 2022 08:19:50 GMT

>>> Its Endpoint VPN, full bundle with AV.
For AV scanning you need an additional endpoint server and the managed client sk166428:

>>> its mean - IPSec VPN cert?
Yes - IPSec VPN uses the internal certificate (ICA) for "Endpoint Security VPN" client.

Re: SSL Certificate

Sergo89 — Wed, 09 Feb 2022 20:42:33 GMT

Thanks Heiko,

how to choose which type of VPN we will be using? Full Endpoint Version doesnt have options (Mobile is different story). Do i have to create two different SSL certificates for IPSec VPN and SSL VPN?

Re: SSL Certificate

Sergo89 — Wed, 09 Feb 2022 20:44:41 GMT

Oh! what 0 have found in the manual:

Install the Access Policy on the gateway.
Note - The Repository of Certificates on the IPsec VPN page of the gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.

Re: SSL Certificate

Sergo89 — Wed, 09 Feb 2022 20:48:34 GMT

its from here:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_MobileAccess_AdminGuide/html_frameset.htm?topic=documents/R80.10/WebAdminGuides/EN/CP_R80.10_MobileAccess_AdminGuide/23007

Re: SSL Certificate

Sergo89 — Thu, 10 Feb 2022 00:23:13 GMT

Heiko,

is it possible to find somewhere Private Key when we generate certificate from GUI (IPSec VPN)?