Re: export certificate for ldap user remote access

dkurochkin · ‎2025-04-12

Hello team

I'm so sorry for my question

so

For remote access vpn need auth certificate + password for ldap user

how to export *.p12 file for LDAP user from smartdashboard -> mobile access -> client certifiactes ??

or another way to get *.p12 file for ldap user ??

thx

the_rock · ‎2025-04-12

I know it can be done using ICA mgmt tool, but will check tomorrow using smart console in the lab.

Andy

Best,
Andy

the_rock · ‎2025-04-12

I totally forgot I upgraded my lab mgmt to R82, but either way, those options are bit different, I cant see anywhere that lets you export the cert from smart console. Maybe someone else can confirm for you.

Andy

Best,
Andy

dkurochkin · ‎2025-04-12

Thanks for your answer

But how to for ldap user use 2 factor auth with password + certificate ?

the_rock · ‎2025-04-12

I will do some more tests Sunday and let you know.

Andy

Best,
Andy

the_rock · ‎2025-04-13

Hey, sorry for the delay, will check this later today.

Andy

Best,
Andy

the_rock · ‎2025-04-13

Im really struggling to find a way to do this from smart console (not even sure if its possible)...

Andy

Best,
Andy

dkurochkin · ‎2025-04-13

Thanks for your answer

M.b. another way ?

Not by smartconsole?

R81.20

the_rock · ‎2025-04-13

Maybe this?

Andy

https://support.checkpoint.com/results/sk/sk179785

Best,
Andy

dkurochkin · ‎2025-04-14

way like sk179785 not work in this case

becouse sk179785 get me GW certificate (in smartConsole gw and servers -> gw -> IPSec VPN -> Repository of certificates available to the gateway)

but I'm need p12 file for LDAP user (smartdashboard -> mobile access -> client certifiactes)

need second factor like certificate for remote acces in client for ldap user

how to do it ?

dkurochkin · ‎2025-04-14

ok

vpn client do it (get cert from gw) automatic when enroll cert by first connect

but if in enroll procedure cert wasnt installed, dont now how to export p12 file

need recreate new certificate and its work

thanks

PhoneBoy · ‎2025-04-14

I assume the enrollment process actually generates the certificate on the client itself.
Which means there is nothing to export from the management.

If the enrollment process fails, you will need to issue another enrollment to the user.
If that process continues to fail, please consult with TAC.

dkurochkin · ‎2025-04-15

some about p12 file

smartdashboard -> mobile access -> client certifiactes

after double click on certificate -> windows about p12 file

so p12 file exists, we don't know how to get it

PhoneBoy · ‎2025-04-15

All that means is the management has the user's public key, which is expected.
Without the private key, which is generated and stored only on the client itself, it is not useful to provide an export.
Storing these private certificates centrally presents an unnecessary security risk.

Even in cases where we have to manage a private key (e.g. Site-to-Site VPNs authenticated with certificates), a new certificate can easily be generated as needed.
To maintain security, when a new certificate is generated, the old one is marked as revoked in the CRL.
As such, we do not permit export of certificates after the initial generation.

Are you a member of CheckMates?

export certificate for ldap user remote access