This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Wu
Contributor
‎2018-05-29 11:36 PM
Jump to solution

How to replace Gaia default certificate with my Internal CA

Dear all,

I want to replace my Gaia (R80.10) default Certificate with my Internal windows 2012 CA (2-tier PKI). 

Would you like to tell me how to do it?

Thanks.

B.R

Alex

1 Solution

Accepted Solutions
Marco_Valenti
Advisor
‎2018-06-01 12:04 AM
In response to Alex_Wu
Jump to solution

mpdaemon pid of the process 5566 so yes it is running at the moment , I guess that now you have to consult with your partner and start to put down an action plan for that request

View solution in original post

17 Replies
Marco_Valenti
Advisor
‎2018-05-30 12:14 AM
Jump to solution

This should fit your needs , have fun Smiley Happy

How to create and set certificate for Gaia Portal 

0 Kudos
Alex_Wu
Contributor
‎2018-05-30 01:00 AM
In response to Marco_Valenti
Jump to solution

thanks.

yes, I know this kb.

the question is after I running the command according to

"Show / Hide instructions for Gaia Portal on Security Gateway with enabled Multiportal feature"

[Expert@HostName:0]# [ $(pidof mpdaemon) ] && ps --no-heading -o pid,ppid,cmd --ppid $(pidof mpdaemon)

the out put is not an empty string... it is "5607 5565........." see the pic below

so the correct Procedure:

  1. Connect with SmartConsole to Security Management Server / Domain Management Server.

  2. Open the Security Gateway / Cluster object.

  3. Go to "Platform Portal" pane.

  4. In the section "Certificate", click on "Import" and choose the certificate.

question: if i don't request CSR, how to create a certificate?

0 Kudos
Marco_Valenti
Advisor
‎2018-05-30 05:34 AM
In response to Alex_Wu
Jump to solution

You don't , the ca need to have a csr for signing a certificate.

I never follow the sk to be honest so I can't help on that output but thos should be the pid of the process

Houssameddine_1
Collaborator
‎2018-05-30 10:22 AM
Jump to solution

the process depends if you are changing the cert on the gw or on the management server. if you are changing the cert on the gw , another question raise , do you have other portals running like Mobile access, captive portal, usercheck, etc.

On the gw, if you have multi portal daemon running you have to do it from smartconsole. if you don't have multi-portal daemon you have to follow the provided Sk.

In order to use the certificate you have to generate a csr. you generate  csr from any Linux or windows machine  and sent it to the CA to sign it.

Based on your description, you want to change the gaia portal cert with your CA cert. You are mixing 2 things the server certificate and the signing certificate and they are different. Gaia uses server certificate.

0 Kudos
Alex_Wu
Contributor
‎2018-05-30 10:47 PM
In response to Houssameddine_1
Jump to solution

thanks. but I don't know if multiportal is enabled. see the pic below.

0 Kudos
Houssameddine_1
Collaborator
‎2018-05-31 06:57 AM
In response to Alex_Wu
Jump to solution

You can use the command "mpclient list" to see which portals are enabled or you can use the command "cpwd_admin list" to see if the mpdaemon is running or not (in general if you have other portals running like captive portals, mobile access, usercheck page, any other portal not gaia portal then mpdeamon is running). in addition to that if you need to install the certificate through smartconsole you need the certificate in P12 format.

The following sk should work for any portal (Same steps for all portals, you can generate the CSR and the private key from any machine it doesn't have to be the checkpoint device.) when multiportal deamon is running

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to... 

Thanks

Alex_Wu
Contributor
‎2018-05-31 07:31 PM
In response to Houssameddine_1
Jump to solution

Thanks.  Please help me check if the mpdaemon is running or not. (though mobile access is not activated in my environment, but I would like to use it in the future)

in my environment, I have 2 GWs(CP4600, clustered) and 1 smartcenter-1 205.

How to generate certificates for them? (AS clustered GW has a virtual IP, I can access GW via the virtual IPD address)

as I understand, each GW needs to generate a server certificate, smartcenter needs too. but what about the virtual IP ?

B.R

Alex

0 Kudos
Marco_Valenti
Advisor
‎2018-06-01 12:04 AM
In response to Alex_Wu
Jump to solution

mpdaemon pid of the process 5566 so yes it is running at the moment , I guess that now you have to consult with your partner and start to put down an action plan for that request

Alex_Wu
Contributor
‎2018-06-01 12:41 AM
In response to Marco_Valenti
Jump to solution

thanks

Alex_Wu
Contributor
‎2018-06-06 10:21 PM
In response to Houssameddine_1
Jump to solution

when generating CSR, I got the following error

below is the setting.

the IP is correct, but ...

0 Kudos
Sven_Glock
Advisor
‎2018-05-30 03:53 PM
Jump to solution

If you already have certificate and key you only need to do the last steps:

  1. Backup the current certificate file "server.crt" and certificate key file "server.key" in the "/web/conf/" directory:

    [Expert@HostName:0]# cp /web/conf/server.crt /web/conf/server.crt_ORIGINAL
    [Expert@HostName:0]# cp /web/conf/server.key /web/conf/server.key_ORIGINAL

  2. Replace the current files certificate file "server.crt" and certificate key file "server.key" in the "/web/conf/" directory with the new certificate file and certificate key file:

    [Expert@HostName:0]# cp /path_to_new_files/server.crt /web/conf/server.crt
    [Expert@HostName:0]# cp /path_to_new_files/server.key /web/conf/server.key

  3. Verify that the certificates have changed:

    [Expert@HostName:0]# cat /web/conf/server.crt
    [Expert@HostName:0]# cat /web/conf/server.key

  4. Restart the Gaia Portal process:

    [Expert@HostName:0]# tellpm process:httpd2
    [Expert@HostName:0]# tellpm process:httpd2 t
(1)
Alex_Wu
Contributor
‎2018-06-06 10:22 PM
In response to Sven_Glock
Jump to solution

the question is I don't have certificate and key, I need to generate csr

0 Kudos
Marco_Valenti
Advisor
‎2018-06-07 12:08 AM
In response to Alex_Wu
Jump to solution

csr syntax is not correct should be like

cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnf
0 Kudos
Alex_Wu
Contributor
‎2018-06-07 12:21 AM
In response to Marco_Valenti
Jump to solution

I referred to the kb

How to create and set certificate for Gaia Portal 

Show / Hide instructions for Client's CA signed certificate for Gaia Portal on Security Management S...

on the security management gateway, it works, but on the security gateway, it doesn't.

B.R

Alex

0 Kudos
lama
Participant
‎2021-03-02 08:28 AM
In response to Alex_Wu
Jump to solution

solution in this  link : https://qostechnology.in/blog/ssl-certificate-on-check-point/

0 Kudos
lama
Participant
‎2021-03-02 08:30 AM
In response to lama
Jump to solution

generate csr:   

cpopenssl req -new -newkey rsa:2048 -nodes -out fw.csr -keyout fw.key -config $CPDIR/conf/openssl.cnf

0 Kudos
VladimirM_87
Participant
‎2024-09-12 02:02 AM
In response to Sven_Glock
Jump to solution

Thanks ! It's works.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events