Not sure if below steps make 100% sense, but looks okay to me.

Andy

******************

1. Decide Where to Generate the CSR

You can generate the CSR either:

• On the Check Point Security Gateway / Management Server (Gaia CLI or SmartConsole)

• Externally (Windows/Linux) and then import the signed certificate + private key

Best practice: generate the CSR directly on the Check Point box where the private key will be used, so the key never leaves the device.

2. Generate CSR in Gaia Portal (Easiest)

1. Log into the Gaia Portal (https://<mgmt_or_gateway_IP>).

2. Go to:
   Device > Certificates > Outgoing Certificates

3. Click Add > Create Certificate Signing Request (CSR).

4. Fill in the fields:

   • CN (Common Name): typically the FQDN used for outbound TLS (e.g., proxy.company.com)

   • O (Organization), OU, L, ST, C as required by your CA policy

   • Key length: 2048 or 3072 bits (depending on your CA requirements)

5. Save/Generate → This will create a .csr file.

6. Download the CSR file.

3. Submit CSR to Windows CA

On your Windows CA server:

1. Open Certification Authority MMC.

2. Right-click the CA → All Tasks → Submit new request.
   Or, if using web enrollment, open:
   http://<CAserver>/certsrv → Request a certificate → Advanced certificate request → Submit CSR.

3. Choose the correct certificate template (e.g., Web Server, Subordinate CA, etc., depending on usage).

4. Submit and download the signed certificate (usually .cer or .p7b).

4. Import Signed Certificate Back into Gaia

1. Go back to Gaia Portal → Device → Certificates → Outgoing Certificates.

2. Select your pending CSR request.

3. Click Import Certificate and upload the .cer (or export from CA as Base64 if needed).

4. Once imported, the status will change to Valid.

5. (Optional) CLI Method

If you prefer CLI:

• Transfer the .csr to your Windows CA, sign it, then bring the .cer back.

• Import both .key and .cer into Check Point with cpca_client or via Gaia Portal.