- Local User Groups
I am Dr. Dorit Dor
Ask Me Anything
Check Point for Beginners
Welcome to the
Working From Home
Review Check Point,
Win Apple AirPods!
You're Using It Wrong
As my client wants to use their own Microsoft AD server to generate certificate and import into Mgmt server for HTTP Inspection with outgoing traffic, we are using Internal CA certificate from Check Point Mgmt server itself and it is work.
My question is do we need to generate CSR and let their AD sign the certificate for this purpose? If yes, how to generate in platform R80.10? Hope you guys could provide me a details procedure. Thanks.
You won´t need to change the certificates on CP Management Server. You´ll need to install a new SubCA Certificate issued from Microsoft CA to the gateway.
As you have to import the certificate for this via the Smart Console from .pfx, you will have to create the CSR somewhere else, then let the AD CA sign the request and fullfill the procedure on the checkpoint. Then convert / export this to pfx+password pair.
As far as I remember, most Security Products based on Linux and similar have problems with certificate with RSASSA-PSS algorithm used. That can be kind of a show stopper.
You can use openssl on the a Check Point machine (expert mode) or the windows certreq / certutil tools.
a hint, how to use openssl for creating a request and converting the certificate files to .pfx:
Signing the CSR on the Microsoft CA
Depending on the CA configuration and demands, you´ll have to create a new SubCA template, for example.
Now you can copy the cert file to the machine, where you created the csr and according to the link above convert to pfx and export the bundle to pfx file and password.
Copy the created file to your client.
Now you can install the certificate to the gateway using the .pfx file - described here:
When you imported the certificate you should export the private key to somewhere, no one has access to, unless in case of emergency , and delete it from the local machine.
Hope it helped