Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ks07
Participant
Jump to solution

Change RSA Key 2048 to 4096 to Client VPN

I am changing the size of the RSA Key 2048 to 4096 to Client VPN because I have a customer who did a vulnerability scan and they indicated that the RSA Key of the certificate of the public ip with which the users are authenticated by VPN with Endpoint Security is vulnerable in 2048 bits so the procedure of sk96591 was performed in the section “VPN Certificate, User Certificate, Client Certificate”.

https://support.checkpoint.com/results/sk/sk96591

I got stuck on the last part that says “Generate the VPN / User / Client Certificate again”.

At first I thought it was the “ipsec VPN” certificate but validating the certificate I had a Public RSA Key of 1024 bits but in the ica management tool I found that it was configured by default 2048, this made me suspect that this is not the certificate that I should renew or generate again.

Could someone tell me what is the exact certificate that is used for the remote VPN's of the users. The users are authenticated by username and password not by certificate, the certificate is only for the authentication of the VPN communication.

I tried to renew the “Ipsec VPN” certificate but when I renewed it I still got 1024, additionally this does not match with the configuration in the Ica Management Tool that had 2048.

In case I have to generate the certificate in the Ica Management Tool, where do I import it?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

@Ks07 

I got it. You need to do below part as well.

Andy

 

Screenshot_1.png

After that, you  will see the change.

 

Screenshot_2.png

View solution in original post

16 Replies
Ks07
Participant

2024-05-14_18h09_13.png2024-05-14_18h10_22.png2024-05-14_18h11_46.png

the_rock
Legend
Legend

Will test this in the lab tomorrow and see if I can make it work.

Andy

0 Kudos
the_rock
Legend
Legend

I just tested it and worked fine, not sure what step you may have missed.

Andy

0 Kudos
the_rock
Legend
Legend

Disregard my last response, still shows same in my lab, I asked a colleague about it, he actually teaches CP classes, Im sure he may know.

Will keep you posted.

Best,

Andy

0 Kudos
Ks07
Participant

Hi Andy, good morning.

Precisely where I got stuck is in the last point "4“Generate the VPN / User / Client Certificate again”" as I understand that you must generate the certificate again in “Ica Management Tool” and then import it in the same checkpoint but I do not understand where, additionally I have the doubt if that certificate is the “ipsec VPN” and at the same time I have the doubt about the discrepancy of the bits I see in the ica mangemente tool and the bits I see in the certificate of ipsec vpn.

0 Kudos
the_rock
Legend
Legend

I got you, I dont give up easily. My colleague gave this sk, but this is what I tried already. We will do remote later and see if we can figure it out.

Andy

https://support.checkpoint.com/results/sk/sk96591

0 Kudos
Ks07
Participant

Hi Andy, good morning.

That SK is the one I already made using the procedure of: “VPN Certificate, User Certificate, Client Certificate”.

In the last point number 4 where it says generate is where I got stuck.

2024-05-14_18h09_13.png

0 Kudos
the_rock
Legend
Legend

Leave it with me, I will update you later.

Andy

0 Kudos
the_rock
Legend
Legend

@Ks07 

I got it. You need to do below part as well.

Andy

 

Screenshot_1.png

After that, you  will see the change.

 

Screenshot_2.png

Ks07
Participant

Hi Andy, good morning, thank you,

I understand, just could you confirm me something, that certificate is also used for users who connect via VPN through “Endpoint Security”?

Would this change affect my VPN S2S? or what impact could it have?

0 Kudos
the_rock
Legend
Legend

I cant say 100% it will work in your case unless you try. I tested in my lab, no issues with Azure vpn tunnel OR remote access, did not have to even delete/re-create the site.

Andy

0 Kudos
the_rock
Legend
Legend

Maybe, just to be on safe side, I would do it after hours.

Andy

0 Kudos
the_rock
Legend
Legend

Forgot to mention, there is no way sadly to make change like this for only group of users, it is global : - (

Andy

0 Kudos
the_rock
Legend
Legend

Also, word of caution, sorry to "hit" you with so many updates...

MAKE sure NOT to change first value to anything higher than 2048, because if you use ssl inspection, block page will NOT show up properly if you do (just leave it as 1024 or 2048)

Best,

Andy

 

Screenshot_1.png

Ks07
Participant

Gracias Andy, hice la prueba también en un laboratorio para tener controlado el procedimiento y en efecto, eso me faltaba.

 

Saludos,

the_rock
Legend
Legend

I understood, welcome 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events