This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PJ_WONG
Contributor
‎2025-07-07 03:13 AM

Adding certificate as MFA authentication for Remote Access VPN

Hi CheckMates,

I need some help with setting up Remote Access VPN using certificate-based MFA together with AD username/password.

Currently, my environment has Check Point integrated with Active Directory, and Remote Access VPN is working fine with just username/password authentication from AD.

Now, I want to add certificate authentication as a second factor. Here’s what I’ve tried so far:

  1. Used the enrollment key for the client to enroll for a certificate.

  2. Used cpca_client create_cert to generate a .p12 certificate and imported it manually.

Both methods work only for SmartConsole internal users, but not for AD users.

So my questions are:

  • Do I need to set up AD Certificate Services (CA) to make this work with AD users? If yes, how would that integrate?

  • Is there any additional configuration needed on the Check Point side to enable certificate + AD username/password for VPN users?

Thank you in advance for any guidance!

 

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2025-07-07 03:55 AM

If you mean adding machine certificate, it is well documented in the admin guide, for example: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C...

 

If something else, please elaborate

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-07 12:09 PM

We would treat AD Certificates the same way we handle any other third party PKI.
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

And yes, you need to configure multiple authentication factors (I believe certificates must always be first).
This is also in the same documentation.

0 Kudos
PJ_WONG
Contributor
‎2025-07-08 01:21 AM

Thanks for the guide, so for the AD user to connect with certificate + username/password, I will need to generate a CSR to send to AD to sign first.

The guide does not mention how the certificate should be distribute, so am I correct to assume that the certificate will be issued and distributed by the AD Certificate Services? Then the user will use this certificate along with their AD credentials to connect to the VPN?

0 Kudos
PhoneBoy
Admin
Admin
‎2025-07-08 07:34 AM
In response to PJ_WONG

That's the whole point of using a third party PKI: we're not involved in certificate distribution.
However, the infrastructure (including end users) will need to be able to validate their certificates.
This means for Remote Access purposes, it may be necessary to permit access to the CRL/OSCP of the relevant CA infrastructure.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events