Hi,

My question is about changing a 3rd party certificate for the SSLVPN portal.

I run a R81.20 last take, as a VSX cluster.

Employees use SSLVPN for remote access, after authentication they click the green "Connect" button to launch the SNX connection in order to use native applications.

We use a public CA certificate which is set under the "Portal Settings" section in the gateway setting.

our current certificate was almost expired and the CA issued us a new one, while maintaining the same intermediate and root.

We already had the root+intermediate certs installed under the TrustedCA page (SmartDashboard > HTTPs inspection > trusted CAs).

After installing the new certificate the SNX stopped working. We clicked the "Connect" button, the progrees bar showed up and then it just reverted to the "Connect" again.

I checked the slimsvc.log file on the client and noticed errors regarding certain certificates fingerprints not matched.

The only thing that solved the issue was to add again the root+intermediate certs to the trustedCAs repository, even though they were identical (now we have a duplicate).

Furthermoe, the fingerprint that is shown in the CA itself doesn't look nothing like the fingerprint shown in the GUI in the portal setting page. I guess it's a custom Checkpoint fingerprint...

So, my question is why is this happening? why did I have to install the CAs again? will this happen everytime? is there a table holding the "Real fingerprint" vs. "CP's fingerprint" I can see?

We're trying to create a scripted automation for changing the portal certificate and we want to understand the flow.

Thanks