https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18932#M669 <HTML><HEAD></HEAD><BODY><P class="">That sounds right to me.</P></BODY></HTML> Fri, 27 Apr 2018 19:51:12 GMT PhoneBoy 2018-04-27T19:51:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18928#M665 <HTML><HEAD></HEAD><BODY><P>Hello Checkmates,</P><P></P><P>I'm testing the SSL Inspection on Checkpoint 790 with R77.20.75 firmware. With the dafault&nbsp;internal certificate it works as described in the instructions.&nbsp;</P><P>According to the&nbsp;<SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">sk121214, I can use my own certificate&nbsp;by replacing the internal CA.</SPAN></P><P>I'm trying to use one issued by our Private PKI server.&nbsp;I can preview the certificate, but when I apply, the&nbsp;firewall appliance load it, but with error: Invalid certificate file.</P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/64853_pastedImage_2.png" style="width: 620px; height: 376px;" /></P><P></P><P>As a result also the VPN service is affected, and my only option to recover is to Reinitialize Certificates.</P><P></P><P>What are the specific requirements for the replacing certificate, in addition to that it should be .p12 or .pfx?</P></BODY></HTML> Thu, 26 Apr 2018 14:07:56 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18928#M665 Georgi_Lyaskov 2018-04-26T14:07:56Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18929#M666 <HTML><HEAD></HEAD><BODY><P>Can you confirm your private PKI server is issuing a&nbsp;<STRONG><EM>certificate authority</EM></STRONG> key?</P><P>If it's not a CA key, it will not be considered valid.</P><P>You may also need to provide the entire certificate chain to the root CA so the gateway can validated the certificate.</P><P>This is because HTTPS Inspection generates certificates on the fly based on the CA key (either the one you provide or the one internally generated).</P></BODY></HTML> Thu, 26 Apr 2018 16:33:11 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18929#M666 PhoneBoy 2018-04-26T16:33:11Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18930#M667 <HTML><HEAD></HEAD><BODY><P>No it wasn't. I've missed that explanation <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />.&nbsp;Now I understand that&nbsp;the Checkpoint should act as a sub issuing CA in our enterprise PKI.</P><P>It would be easier, if t<SPAN style="color: #2a2a2a; background-color: #ffffff;">he firewall can create a request file for a subordinate CA certificate, as it will contain the required attributes. I assume the subject field can be anything and should have the following key usages&nbsp;<SPAN>KEY_CERT_SIGN_KEY_USAGE&nbsp; CERT_DIGITAL_SIGNATURE_KEY_USAGE.&nbsp;&nbsp;</SPAN></SPAN></P><P><SPAN style="color: #2a2a2a; background-color: #ffffff;">Is the checkpoint also going to create a new certificate for the VPN, based on the uploaded valid sub CA cert?</SPAN></P><P></P><P></P><P><SPAN style="color: #2a2a2a; background-color: #ffffff;">&nbsp;</SPAN></P><P><SPAN style="color: #2a2a2a; background-color: #ffffff;">&nbsp;</SPAN></P></BODY></HTML> Fri, 27 Apr 2018 07:45:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18930#M667 Georgi_Lyaskov 2018-04-27T07:45:24Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18931#M668 <HTML><HEAD></HEAD><BODY><P>No, a<SPAN style="color: #2a2a2a; background-color: #ffffff;"> new certificate for the VPN</SPAN> is only created if you trigger that.</P></BODY></HTML> Fri, 27 Apr 2018 09:05:11 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18931#M668 G_W_Albrecht 2018-04-27T09:05:11Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18932#M669 <HTML><HEAD></HEAD><BODY><P class="">That sounds right to me.</P></BODY></HTML> Fri, 27 Apr 2018 19:51:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Replace-Internal-CA-SSL-Inspection-with-own-certificate/m-p/18932#M669 PhoneBoy 2018-04-27T19:51:12Z