Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ed_Gonzalez
Employee
Employee
Jump to solution

How to create a TRUSTED ROOT CA?

Has anyone created a “Trusted Root CA” (root-ca.crt) that is not recognized by the client computer? I followed the guide  for this poc to get the cert:

I did change the name (sblast.lab.local) but everything is the same ....when I import it: 

The docs states there should not be any issues and look like this:

Any ideas how to resolve it or find another means to get a working “Trusted Root CA"?  I also saw SK 113599 but decided to use this doc.

Ed

1 Solution

Accepted Solutions
Ed_Gonzalez
Employee
Employee

Here are the exact steps and file. 

6.1 Create a CA certificate

 

Login to the SB appliances via SSH and follow these steps:

(sba_openssl.cnf might be completely omitted if you use FQDN throughout all SBA config steps)

 

Ignore all warning outputs you get when running the cpopenssl commands 🙂

 

1) Create /tmp/sba_openssl.cnf (change CN, DNS and IP according to your SB appliance settings) and insert this content:

 

 

[ req ]

 

prompt = no default_bits = 4096

distinguished_name = req_distinguished_name

x509_extensions = req_ext

 

[ req_distinguished_name ]

 

C=DE

ST=BY

O=CP

OU=SB

CN=sblast.lab.local

 

[ req_ext ]

 

subjectAltName = @alternate_names

 

[alternate_names]

 

DNS.1=sblast.lab.local

DNS.2=10.200.75.50

 IP.1=10.200.75.50

 

 

 

2) Create CA private key

# cpopenssl genrsa -aes256 –out ca-root.key 2048

 

3) Create CA certificate

 

# cpopenssl req -x509 -new -nodes -extensions v3_ca -key ca-root.key -days 1024 -out ca-root.crt -sha512 -config /var/opt/CPshrd-R77/conf/openssl.cnf

 

Be sure to set the common name to your domain only. Common Name (e.g. server FQDN or YOUR name) []: lab.local

 

 

 

6.2 Create SandBlast UserCheck certificate

 

1) Create Server private key

 

# cpopenssl genrsa -out sblast.local.key 4096

2) Create certificate signing request

 

# cpopenssl req -new -key sblast.lab.local.key -sha512 -subj "/C=DE/ST=BY/O=CheckPoint/CN=sblast.lab.local" -config /tmp/sba_openssl.cnf -out sblast.lab.local.csr

3) Create server public certificate

 

# cpopenssl x509 -req -in sblast.lab.local.csr -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -extensions req_ext -extfile /tmp/sba_openssl.cnf -out sblast.lab.local.crt -days 365 -sha512

4) Convert server certificate to PKCS#12

 

# cpopenssl pkcs12 -export -in sblast.lab.local.crt -inkey  sblast.lab.local.key -out sblast.lab.local.p12 -certfile ca-root.crt

==============================

NOTE: I think the problem might the "RED" font area. 

The two important files are "R7730TE.lab.local.p12" and ca-root.crt. It's the ca-root.crt that I'm installing on my labtop/client.

View solution in original post

16 Replies
PhoneBoy
Admin
Admin

Your screenshot for when you imported it doesn't show...it points to Gmail.

You might want to download it and reattach to the above message.

0 Kudos
Ed_Gonzalez
Employee
Employee

Here is the image...

0 Kudos
Pedro_Espindola
Advisor

If you are getting browser errors maybe the problem is with the end certificate, not the root CA certificate.

Your certificate might be missing a subject alternate name or the redirect URL doesn't match the CN or any alternate name.

What does the browser tell you about the error? Hit F12 > Security. It will tell you the exact reason for the error. Share with us.

0 Kudos
Ed_Gonzalez
Employee
Employee

Hi Pedro. Thanks for the quick reply. That's exactly what I'm thinking and last night spend some time trying to review the steps in the command. It looks like it does read off it too... Here is the actual file (sba_openssl.cnf) that is initially setup. Once I run the commands and generate the cert it ask me for C, ST, O...etc. and I was entering diff info but tried to match them last night but no luck.

I'll look into the area you suggested and follow up.

0 Kudos
Ed_Gonzalez
Employee
Employee

Here is the error.

0 Kudos
Ed_Gonzalez
Employee
Employee

0 Kudos
Pedro_Espindola
Advisor

On the browser, hit F12 and go to the "Security" tab to see more details.

Also, open the certificate and check the certification path.

0 Kudos
Ed_Gonzalez
Employee
Employee

Here is more info.

0 Kudos
Ed_Gonzalez
Employee
Employee

0 Kudos
Ed_Gonzalez
Employee
Employee

Here are the exact steps and file. 

6.1 Create a CA certificate

 

Login to the SB appliances via SSH and follow these steps:

(sba_openssl.cnf might be completely omitted if you use FQDN throughout all SBA config steps)

 

Ignore all warning outputs you get when running the cpopenssl commands 🙂

 

1) Create /tmp/sba_openssl.cnf (change CN, DNS and IP according to your SB appliance settings) and insert this content:

 

 

[ req ]

 

prompt = no default_bits = 4096

distinguished_name = req_distinguished_name

x509_extensions = req_ext

 

[ req_distinguished_name ]

 

C=DE

ST=BY

O=CP

OU=SB

CN=sblast.lab.local

 

[ req_ext ]

 

subjectAltName = @alternate_names

 

[alternate_names]

 

DNS.1=sblast.lab.local

DNS.2=10.200.75.50

 IP.1=10.200.75.50

 

 

 

2) Create CA private key

# cpopenssl genrsa -aes256 –out ca-root.key 2048

 

3) Create CA certificate

 

# cpopenssl req -x509 -new -nodes -extensions v3_ca -key ca-root.key -days 1024 -out ca-root.crt -sha512 -config /var/opt/CPshrd-R77/conf/openssl.cnf

 

Be sure to set the common name to your domain only. Common Name (e.g. server FQDN or YOUR name) []: lab.local

 

 

 

6.2 Create SandBlast UserCheck certificate

 

1) Create Server private key

 

# cpopenssl genrsa -out sblast.local.key 4096

2) Create certificate signing request

 

# cpopenssl req -new -key sblast.lab.local.key -sha512 -subj "/C=DE/ST=BY/O=CheckPoint/CN=sblast.lab.local" -config /tmp/sba_openssl.cnf -out sblast.lab.local.csr

3) Create server public certificate

 

# cpopenssl x509 -req -in sblast.lab.local.csr -CA ca-root.crt -CAkey ca-root.key -CAcreateserial -extensions req_ext -extfile /tmp/sba_openssl.cnf -out sblast.lab.local.crt -days 365 -sha512

4) Convert server certificate to PKCS#12

 

# cpopenssl pkcs12 -export -in sblast.lab.local.crt -inkey  sblast.lab.local.key -out sblast.lab.local.p12 -certfile ca-root.crt

==============================

NOTE: I think the problem might the "RED" font area. 

The two important files are "R7730TE.lab.local.p12" and ca-root.crt. It's the ca-root.crt that I'm installing on my labtop/client.

Ed_Gonzalez
Employee
Employee

Going to try something new... support just told me the following: 

Based on the information that is on the case it seems it looks like we are not combining the CA certificate with the server cert. The next step here will be to follow sk69660 which is originally intended for Mobile Access. The steps are the same  for UserCheck the only difference will be step 3, you will just have to import the certificate under the UserCheck tab. 

I'll follow up on the results after lunch.

0 Kudos
Pedro_Espindola
Advisor

That is correct, the certificate is missing the root CA in the chain. There should be the lab.local certificate above the sblast.lab.local in the certification path.

In step 4, add the option -certfile ca-root.crt

Ed_Gonzalez
Employee
Employee

Hey Pedro. Thanks your suggestion....it worked!  For some reason the work laptop was probably the main issue since it was not working there. But, once I tried the lab computer it worked great! Thanks! Ed

Pedro_Espindola
Advisor

Great to know, Ed!

Please mark this question as answered if everything is working.

PhoneBoy
Admin
Admin

FYI I marked Ed Gonzalez‌'s answer correct and added your suggestion to step 4.

Pedro_Espindola
Advisor

Great! Thanks

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events