This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Digo11
Contributor
‎2023-03-26 11:42 PM
Jump to solution

Inbound HTTPS Inspection - Importing Certificate

Hello Experts.

I am trying to perform inbound HTTPS inspection; I do not have any private key password assigned to the certificate (wildcard certificate). While trying to import the internal server certificate for the inbound rules, I cannot import the certificate without providing the password.

Is there a way to skip/bypass the private key password section? It shows an error when I try to skip the password section.

*Note: When I provide the export password of the certificate in the private key password section, it accepts and imports the certificate. 

Thanks in advance!!

 

Regards,

Digo.

Preview file
23 KB
0 Kudos
1 Solution

Accepted Solutions
Sorin_Gogean
Advisor
‎2023-03-27 12:34 PM
Jump to solution

Hello @Digo11 ,

Not sure if you were kidding when you asked for "a way to skip/bypass the private key 🙂.

From CKP HTTPS Inspection documentation, we have the below paragraph explaining what is need:

When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.

Inbound HTTPS Connections

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

Inbound connection flow

 

Now on your problem, you can't, because when we do INBOUND HTTP Inspection , meaning we decrypt traffic that comes from outside to our DMZ servers, the CKP HAS TO Present itself as the "original server", therefore, in order to do that, the server SSL certificate and the private key, needs to be installed to he can substitute itself into the communication.

As example:

SSL%20Decryption_Fig9

 

Hopefully is clearer for you now.

 

Ty,

View solution in original post

6 Replies
Sorin_Gogean
Advisor
‎2023-03-27 12:34 PM
Jump to solution

Hello @Digo11 ,

Not sure if you were kidding when you asked for "a way to skip/bypass the private key 🙂.

From CKP HTTPS Inspection documentation, we have the below paragraph explaining what is need:

When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.

Inbound HTTPS Connections

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.

Inbound connection flow

 

Now on your problem, you can't, because when we do INBOUND HTTP Inspection , meaning we decrypt traffic that comes from outside to our DMZ servers, the CKP HAS TO Present itself as the "original server", therefore, in order to do that, the server SSL certificate and the private key, needs to be installed to he can substitute itself into the communication.

As example:

SSL%20Decryption_Fig9

 

Hopefully is clearer for you now.

 

Ty,

Digo11
Contributor
‎2023-03-28 09:07 AM
In response to Sorin_Gogean
Jump to solution

Hi Sorin_Gogean,

Good day!!

Thanks a lot for explaining the connection flow. Somehow, I was able to import the certificate by entering the "export" password that I had created at the time of exporting the certificate. I had to convert the certificate to .P12 format as it was originally in .PEM format.

I used the certificate for inbound inspection and the traffic is getting inspected as seen in the logs. I will check further and post here if assistance is required.

Thanks!!

the_rock
MVP Diamond
MVP Diamond
‎2023-03-28 09:42 AM
In response to Digo11
Jump to solution

Good job! 👍

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-28 09:47 AM
In response to Digo11
Jump to solution

Here is also a very good reference doc for you. This was given to me by TAC couple of years back, but it explains inspection very well.

Andy

Best,
Andy
"Have a great day and if its not, change it"
Preview file
5542 KB
0 Kudos
Sorin_Gogean
Advisor
‎2023-03-28 11:37 AM
In response to Digo11
Jump to solution

Glad it helped @Digo11 😊

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-27 03:51 PM
Jump to solution

What @Sorin_Gogean gave pretty much explains it all. Sadly, there is NO way to skip private key portion, thats the whole point actually of this process, otherwise, it would not be secure.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events