topic Re: Secure Domain Logon - Certificate is badly signed in SASE and Remote Access

Secure Domain Logon - Certificate is badly signed

Alias — Fri, 23 Jul 2021 05:49:51 GMT

Hey Mates,

we are using Remote Access VPN with 3rd party CA (Windows PKI) on a 80.20 setup.

When clients try to use the secure logon to connect prior to Windows login, the users get a failed connection with the error message "Certificate is badly signed". As soon, as the windows login is over, the Remote Access login works just fine.

Also, we switched our CA a while ago. This problem only happens with Certificates from the new CA, with certificates from the old ca domain logon works

I dont really understand how to read the "Certificate is badly signed" message

What does this mean? How can it be badly signed and then it is accepted 2 minutes later? Is this a CRL problem?

I would appreciate some input, if anybody had such an issue before

Cheers

Re: Secure Domain Logon - Certificate is badly signed

PhoneBoy — Fri, 23 Jul 2021 07:10:52 GMT

Did you import the CA key and all the intermediate certificates into the CA key store on the client?
When you imported the CA key into the gateway, did you also include any intermediate certificates?
At least from a few TAC cases, this seems to be one potential reason for the issue.

Re: Secure Domain Logon - Certificate is badly signed

Alias — Fri, 23 Jul 2021 08:10:11 GMT

Hey Phoneboy,

thank you for your reply

Yes, the CAs are correctly implemented on the clients and the gateway. Just for my own understanding, if it weren't correctly configured, the VPN shouldnt work at all?

I deactived the CRL checking on the gateway as described in sk21156 to see if it is a CRL problem, but it still doesn't work

Re: Secure Domain Logon - Certificate is badly signed

PhoneBoy — Fri, 23 Jul 2021 15:45:13 GMT

Would recommend opening a TAC here.

Re: Secure Domain Logon - Certificate is badly signed

Alias — Mon, 26 Jul 2021 12:34:14 GMT

Hey,

yeah, I am afraid I have to.

I tried a couple of things and I suspect it has to do with another issue I had a while ago with renewing a CA and posted here:

https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-implement-a-renewed-3rd-Party-Issuing-CA-Cert/m-p/119385#M5189

We'll see. Thanks for your help

Cheers

Re: Secure Domain Logon - Certificate is badly signed

514numbers — Tue, 01 Nov 2022 17:45:14 GMT

We have the same issue but only for a few laptops with 86.60. We have opened a case howerver would like to know if there was a solution.

Re: Secure Domain Logon - Certificate is badly signed

AndreiR — Thu, 23 Feb 2023 09:36:18 GMT

Hi,

The fix for the "Certificate is badly signed" issue will be available in coming E87.20 (should be GA within few weeks). If for some reason it doesn't help in your specific configuration, please open support case and refer this ID: "ESVPN-3747".