Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lolith
Participant
Jump to solution

OpenSSL latest version support for pkcs12 cert creation

Hello,

 

Recently we hit this SK sk123237"Failed to import outbound certificate. Check that the certificate's format is suitable and that the...

 

We have an environment running on both R81.10 and R81.20. The OpenSSL version 3.x.x was released a long time back and most of our systems and machines are running with OpenSSL 3.x.x. So, it becomes really hard to go lower version just to create pkcs12 cert for Checkpoint. Is there any plan to fix this certificate issue with these latest versions of OpenSSL?

 

Regards,

Lolith

0 Kudos
1 Solution

Accepted Solutions
TRajkumar
Contributor

Hi Everyone,

  Just for your knowledge from myside.

 I have completed the certifications and activated the HTTPS inspection successfully.

Follow the sk165856, But instead of step 6 i followed the below

1. Get the signed certificate as .CRT format

2.Use a Key file in .key format

3.Run "cpopenssl pkcs12 -export -in inspection-ca.crt -inkey inspection-key.key -out inspection.pfx"

4.After got the certificate in .pfx format, rename it to .p12 format

5.import to smart console.

 

Hope this helps everyone:)

 

Thanks

Rajkumar

View solution in original post

8 Replies
Tobias_Moritz
Advisor

While I'm also interested in the answer from CP to your question, I want to offer you are workaround you may not know yet, when you say it becomes really hard to find hosts with legacy openssl versions to create pkcs12 containers which you can load into Check Point products:

Use the openssl v3 parameter -legacy or specify pbe crypto functions manually like -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES to enforce crypto functions which are compatible with openssl v1.

Other options would be creating the pkcs12 file directly on Gaia CLI with cpopenssl or install the OpenSSLv1.1 version next to OpenSSLv3 on your modern linux hosts. On RHEL9 e.g., there is a package called compat-openssl11 for that purpose.

Btw: R81.20 is based on RHEL7 and R82 will be based on RHEL8. OpenSSLv3 was introduced with RHEL9. But GAIA is not a clean RHEL, so CP could bundle OpenSSLv3 with R82 if they want and fix all dependencies. I have no access to R82 EA currently, so I cannot verify if they did already.

0 Kudos
lolith
Participant

Hello Tobias,

Thanks for your reply.

We did try with -legacy parameter, but did not work as expected. Was still giving error for some reason.

The other problem is our PKI team is different and we create the PKCS12 cert from our internal CA systems. So, PKI don't have access to our GAIA CLI. Unfortunately, there is quite restricted access in our company.


So as a workaround, we have both V1 and V3 installed and its cumbersome and compliance issue with lower version being running all the time. So, we install v1, create cert and then delete 😞

Permanent fix would always benefit everyone in the involving world I believe.

 

Regards,

Lolith

0 Kudos
PhoneBoy
Admin
Admin

When we update OpenSSL, it will most likely be done as part of a major release (R82 or one thereafter).
Unfortunately, I haven't seen R82 code yet to verify if this was done.
In any case, you may need to reach out to your local Check Point office to discuss a possible RFE.

0 Kudos
TRajkumar
Contributor

Hi Mr.Phoneboy

 Hope your are doing well..

 I have the issue for creating the certificate for the HTTPS inspection. I followed the article sk165856 and stuck at 6th step.

I unable to convert the certificate to p12 format.  I tried the conversion from linux machine and got it, but its from openssl v3. it not supported by the checkpoint. How i proceed this. could you pls guide me for the any other alternate steps.

if i try the conversion on checkpoint, gets "unable to load certificate" message. Can you let me know which version of openssl checkpoint was using.

Thanks

Rajkumar

0 Kudos
PhoneBoy
Admin
Admin

I don't recall the exact version of OpenSSL we use, but it's a 1.x version.
You can use cpopenssl on a Check Point gateway/management.

0 Kudos
TRajkumar
Contributor

Hi

Yes, i got the version of checkpoint its 1.1.1k. But i faced an error "Unable to load certificates" when converting the signed certificate to p12 format. Any compatibility need to check from CA server side for this lower version of openssl.

Your guidance would be appreciated 🙂

Thanks

0 Kudos
PhoneBoy
Admin
Admin

Try generating a CSR via the CLI as described here: https://support.checkpoint.com/results/sk/sk165856
Get your CA to sign it and follow the steps.
If it still doesn't work, I suggest a TAC case: https://help.checkpoint.com 

0 Kudos
TRajkumar
Contributor

Hi Everyone,

  Just for your knowledge from myside.

 I have completed the certifications and activated the HTTPS inspection successfully.

Follow the sk165856, But instead of step 6 i followed the below

1. Get the signed certificate as .CRT format

2.Use a Key file in .key format

3.Run "cpopenssl pkcs12 -export -in inspection-ca.crt -inkey inspection-key.key -out inspection.pfx"

4.After got the certificate in .pfx format, rename it to .p12 format

5.import to smart console.

 

Hope this helps everyone:)

 

Thanks

Rajkumar

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events