This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thuan
Participant
‎2022-11-11 12:50 AM
Jump to solution

secret key on smart-1?

Hello experts, During the creation of site-to-site and ssl vpn, I want to know which device generates the private-public key pair and where the private key is stored, in 2 cases: - Case 1: the gw system does not use smart-1 (ngsm), that is, only local management - Case 2: the gw system is managed by a separate smart-1 I have consulted the "Site to Site VPN R81 Administration Guide" document but still feel unclear. Please help me explain.
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2022-11-12 05:48 AM
Jump to solution

Short answer: the gateway has the private key, both have the public key.
This is consistent with how the RSA cryptosystem works, which is the basis for IPsec VPN, TLS, SIC, and others.

VPN Certificates come from the Internal Certificate Authority (ICA), which exists on the management and is based on the 
Whether it's a device separate from the gateway or the same device (i.e. locally managed) doesn't matter.

When a Check Point gateway is first installed, it generates a unique private key, which is then signed by the ICA when SIC is established.
Much like when you issue a Certificate Signing Request for a certificate to a public CA for a website, the ICA does not need to know the gateway's private key in order to sign the certificate.

We do not provide a mechanism to export private keys from the gateway.
It is trivial (and more secure) to generate a new keypair signed by the same Certificate Authority as before.

View solution in original post

(2)
6 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2022-11-11 01:37 AM
Jump to solution

See https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuid...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Thuan
Participant
‎2022-11-12 02:18 AM
In response to G_W_Albrecht
Jump to solution

I have read the document you sent. I am aware that:
- ICA is part of Check Point suite used to create SIC trusted connection between Security Gateways, admin authentication and third party servers. The ICA provides certificates for Internal Secure Gateways and remote access clients that negotiate VPN links.
- The ICA Management Tool runs on Security Management Server / Multi-Domain Security Management Server.
However:
- A certificate is automatically issued by the Internal Certificate Authority for all internally managed entities that are VPN-capable. That is, after the administrator enables the IPsec VPN Software Blade in a Security Gateway or Cluster object
- IPSec VPN Software Blade is a feature that belongs to the security gateway.

I am not a checkpoint vpn deployer. I am dealing with this for import and export. What I need to know is where is the vpn private key generated and stored? on the security gateway (such as SG6200) or on the management device (smart-1)?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-12 05:48 AM
Jump to solution

Short answer: the gateway has the private key, both have the public key.
This is consistent with how the RSA cryptosystem works, which is the basis for IPsec VPN, TLS, SIC, and others.

VPN Certificates come from the Internal Certificate Authority (ICA), which exists on the management and is based on the 
Whether it's a device separate from the gateway or the same device (i.e. locally managed) doesn't matter.

When a Check Point gateway is first installed, it generates a unique private key, which is then signed by the ICA when SIC is established.
Much like when you issue a Certificate Signing Request for a certificate to a public CA for a website, the ICA does not need to know the gateway's private key in order to sign the certificate.

We do not provide a mechanism to export private keys from the gateway.
It is trivial (and more secure) to generate a new keypair signed by the same Certificate Authority as before.

(2)
Thuan
Participant
‎2022-11-14 01:10 AM
In response to PhoneBoy
Jump to solution

I understand your answer. But can we show the private key.
My colleague has read the documentation but asserts that smart-1 is the source of the private-public key pair.
Quote: "Instead of the Security Management Server generating both public and private keys and downloading them to the module during a policy installation, the management server instructs the module to create its own public and private keys and send (to the management server) only its public key." page 77/Site to Site VPN R81 Administration Guide

 

0 Kudos
Thuan
Participant
‎2022-11-14 06:05 AM
In response to Thuan
Jump to solution

Is there any document that clearly states that: security gateway is where the private key is generated and stored, not smart-1?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-14 06:31 AM
In response to Thuan
Jump to solution

The quote you provided from the documentation confirms the explanation:

  • "The management server instructs the module to create its own public and private keys" meaning the management server does not have any keys at this point.
  • "send (to the management server) only its public key." meaning the management server only receives a public key from the security gateway

The end result: only the gateway has the private encryption key.
We don't provide a mechanism to show the private key on the gateway.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events