This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Steve_Pearson
Contributor
‎2025-01-08 04:55 AM
Jump to solution

HTTPS certificate creation

I'm in the process of "rebuilding" a system, and one element that I need to re-enable is HTTPS inspection. This was working previously, but has been bypassed for the last several months (by a rule in the policy)

The existing certificate is 5 years old with a 10 year life, and at present is NOT installed on the users machines due to them being rebuilt (and group policy being reset too!), its also created on the management server using the company's name as the issuing authority (www.mycompany,co,uk), but this is a local certificate and nothing to do with the actual real domain by that name. So the cert shows issued by and issued to, both as www.mycompany.co.uk, which is a little confusing for people.

So my thought is to generate a new certificate on the management server, using a more generic or obvious name with a full 10 years on it, then deploy this with via a GPO, however I can't see a way to do this.

I'm assuming that there is a way to do this but so far I've not found anything helpful (everything seems to discuss creating it when you turn on HTTPS inspection, but as it's already on this isn't an option), so I was wondering if anyone could advise me?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2025-01-08 05:04 AM
Jump to solution

Hey Steve,

I had that happen with customer once and TAC provided below sk to follow.

Andy

https://support.checkpoint.com/results/sk/sk92870

View solution in original post

0 Kudos
7 Replies
the_rock
Legend
Legend
‎2025-01-08 05:04 AM
Jump to solution

Hey Steve,

I had that happen with customer once and TAC provided below sk to follow.

Andy

https://support.checkpoint.com/results/sk/sk92870

0 Kudos
Steve_Pearson
Contributor
‎2025-01-09 01:29 AM
In response to the_rock
Jump to solution

Hi Andy, 

This doesn't mention R81.20, but it does mention R81.10 so I figured that as long as I do a snapshot first it's definitely worth a try!

Worked like a dream, resetting the HTTPS as if it's never been enabled before, and allowed me to create a new certificate which was exactly what was required!

Perfect, thanks!

Steve

the_rock
Legend
Legend
‎2025-01-09 04:06 AM
In response to Steve_Pearson
Jump to solution

Great job! Glad we can help.

Andy

0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-01-08 05:08 AM
Jump to solution

Hi,

If you want to renew the ICA, maybe this sk helps

https://support.checkpoint.com/results/sk/sk158096

Or do you want to make an intermediate (issuer) Ca?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
AkosBakos
Mentor Mentor
Mentor
‎2025-01-08 05:43 AM
Jump to solution

Hi @Steve_Pearson 

If you want to create manually a new cert for eg to your GW maybe you can follow this sk

https://support.checkpoint.com/results/sk/sk30501

After you create the user to access the ICA managament you will see this screen:

2025-01-08 14_27_48-.png 

Then you will be able to create a new cert as you want.

Akos

 

----------------
\m/_(>_<)_\m/
the_rock
Legend
Legend
‎2025-01-08 06:22 AM
In response to AkosBakos
Jump to solution

Totally forgot about that, I see I had it set up in my lab as well, great tool!

Andy

0 Kudos
Lesley
Mentor Mentor
Mentor
‎2025-01-08 06:46 AM
Jump to solution

Can be done via Smart Dashboard -> https://support.checkpoint.com/results/sk/sk108641

Or with cpopen ssl on CLI (Check points version of openSSL)

Or any other system with openSSL. 

Would do it via SmartDashboard, everything you need to do you can do over there.

My customer did it also that way couple days ago and added to the client and works great. 

If something is wrong about the certificate clients will get warning in browser. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top