topic Re: IPSec VPN certificate in SASE and Remote Access

IPSec VPN certificate

abihsot__ — Mon, 09 Aug 2021 14:47:04 GMT

Hi there,

I wanted to upload 3rd party certificate to the gateway, however the only option is to use "add" button, which in turn would generate private key, CSR and will wait for me to come back with signed certificate and do "complete".

It all would be fine, however I want to upload the same certificate on multiple gateways. I see "export P12", so I assume there is a hidden way to "import P12"?

Re: IPSec VPN certificate

PhoneBoy — Mon, 09 Aug 2021 15:13:43 GMT

Don’t believe you can or should use the same certificate on multiple gateways.

Re: IPSec VPN certificate

abihsot__ — Mon, 09 Aug 2021 15:40:16 GMT

I understand your concerns, but there might be cases where it could be beneficial.

I assume "export P12" button is for making backup of certificate + private key, however what is the purpose of such backup if you can't import it?

Re: IPSec VPN certificate

PhoneBoy — Mon, 09 Aug 2021 15:46:11 GMT

I believe that is for the public Certificate Authority key, not the gateway certificate.

Re: IPSec VPN certificate

Yuber_Sierra_av — Tue, 11 Oct 2022 21:31:49 GMT

Hello @PhoneBoy,

I'm worndering the same as @abihsot__ , in my case I'm replacing old Cluster to new gateway models, so, I need to import the IPSec VPN Certificate which resides in the SMS, but there is no such option to Import the certificate to the new Cluster.

Thank you.

Re: IPSec VPN certificate

Aaron_Vivadelli — Fri, 21 Oct 2022 19:24:01 GMT

Try this one.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk179785&partition=Advanced&product=Mobile

Re: IPSec VPN certificate

PhoneBoy — Fri, 21 Oct 2022 19:48:12 GMT

That SK talks about exporting the certificate.
The question is about importing an existing certificate with a private key for IPsec VPN, which is not supported or best practice.
If you generate a new certificate using the same Certificate Authority as the previous certificate, it should work without difficulty.

Re: IPSec VPN certificate

ivdolbnia — Wed, 01 Mar 2023 07:53:35 GMT

I see many requests like that online. Also I am facing the similar situation - ability to export/import existing certificate is crucial for proper operational management of the devices. Once we want to swap/replace device or virtual appliance - we need to configure everything from scratch automatically (migrate doesn't work in our case) - I can do everything through API, but we NEED to export/import VPN certificates for our tunnels - otherwise we need to go through very complicated process with CSR (basically fly to another country to get it on CD as this is security requirement). How can we proceed with such feature being added?

Re: IPSec VPN certificate

_Val_ — Wed, 01 Mar 2023 09:36:49 GMT

Backup and restore should cover replacement in most cases. As @PhoneBoy mentioned already, there is a reason it is hard or even impossible to extract a certificate with a private key. It is done for very serious security reasons.

For VPN purposes, you can actually generate a new certificate from a trusted CA. That should not affect tunnel functionalities. As long as VPN peers trust certificates from the other side, you should be fine.

Re: IPSec VPN certificate

RamGuy239 — Wed, 01 Mar 2023 12:52:23 GMT

Third-party VPN certificates have always been rather tedious on Check Point. First, you must create a Trusted CA, then a subordinate CA to get the entire chain trusted on your management server. Then you have to create the CSR based on this, get it signed, and then import and have it trusted.

I don't think you can utilise the same certificate on multiple gateways, as you will have to start with a new CSR per gateway/cluster.

This process is much easier and seamless with the Mobile Access blade enabled. In Mobile Access, you can simply import .p12 directly without jumping through all the other hoops:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Content/Topics-MABG/General-Portal-Settings.htm?tocpath=The%20Mobile%20Access%20Portal%7CGeneral%20Portal%20Settings%7C_____0#Portal_Server_Certificate

But I'm not entirely sure if the certificate you import into the Mobile Access portal will be available to choose as a certificate for Site-2-Site IPsec VPN. When you jump through the hoops not using Mobile Access, your certificate will be available for Site-2-Site IPsec VPN and Remote Access. Not entirely sure if that is the case when using Mobile Access or if it will be available for Remote Access only.

Re: IPSec VPN certificate

PhoneBoy — Wed, 01 Mar 2023 19:27:26 GMT

Pretty sure this will not impact anything for Site-to-Site VPN or Remote Access VPN clients that aren't SNX.
We need the Certificate Authorities explicitly defined (the root and any subordinates) in order to correctly verify the certificates in use are still valid.

Re: IPSec VPN certificate

Fiqri_kurniawan — Wed, 03 Apr 2024 04:05:40 GMT

Hello Mr. PhoneBoy,

Does the certificate affect for VPN Site 2 site? Or only for VPN Client Remote Access

Thanks

Re: IPSec VPN certificate

Aaron_Vivadelli — Wed, 03 Apr 2024 14:54:15 GMT

It would affect both client to site and site to site, however unless you have site to site VPN tunnels between 2 check point gateways you manage from the same sms, your site to site vpn is most likely using pre shared key instead of certificates.

If you do have site to site VPNs between Check Point gateways managed by the same sms, you just need to install policy to all the other gateways the gateway in question has a vpn to do they are aware of the new cert as well.

In my experience, this change usually has more of an effect on client to site, but it can have an effect if your site to site VPNs use certificates rather than PSK.

Re: IPSec VPN certificate

cyberluke365 — Thu, 06 Nov 2025 09:47:41 GMT

Hello guys,

I understand this is quite an old topic. However, I’ve been wondering if there’s any way to import an already existing SSL certificate for an IPsec VPN on R81.20 - just like it’s possible to do for the Platform Administration Web Portal, UserCheck and Mobile Access portal ?
Is there any supported method or workaround to achieve this?

Re: IPSec VPN certificate

PhoneBoy — Thu, 06 Nov 2025 15:48:12 GMT

As stated previously, we do not support importing an existing certificate for VPN purpose by design.

Re: IPSec VPN certificate

cyberluke365 — Thu, 06 Nov 2025 23:02:54 GMT

Hello @PhoneBoy,
thank you for your prompt response.

I understand that no changes have been made by Check Point regarding this.

Unfortunately, the current/supported procedure doesn’t apply to my scenario: I’m using a wildcard SSL certificate issued by a public CA. It would have been ideal to use it not only for other portals, but also for client VPNs.

Thank you.