Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
electromichi3
Explorer

Avoiding VPN client fingerprint message when changing certificate

Hello Guys,

 

I'm in need to change the Certificate which is represented to the Clients for Remote Access.

As far as I Understand, Checkpoint presents the Fingerprint of the Root CA of the VPN Certificate so the client dont have issues when Certificates are exchanged if they come from the same CA.

Unfortunately we are moving from one CA to another and this is not clearly for me. Also not in SK: Avoiding VPN / SNX client fingerprint message when changing certificate or connecting to a backup si...

We have "vpn.corp.com" as CN/DNS. So I digged already into the registry of my clients and there as mentioned a respective fingerprint for my VPN Infrastructure. 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\vpn.corp.com]
"--Fingerprint--"=" XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX  XXX XXXX"

1. Question: Can I assign more then one Fingerprint in the Registry  ? So we have an entry for our "vpn.corp.com" and there is currently one Fingerprint. Can I enter the second (new one) to and it will work? Is there an SK for this? 
So it will look like:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\vpn.corp.com]
"--Fingerprint--"=" XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX  XXX XXXX"
"--Fingerprint--"=" YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY  YYY YYYY"

2. Question: If the 1. is not a viable option will I be forced to create a new DNS Entry (for example remote.corp.com) to prepare the registry? And also reflect this in the new certificate ? 
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\remote.corp.com]
"--Fingerprint--"=" YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY  YYY YYYY"

3. Question: I did not find the SK where it is cleary mentioned which fingerprint of which certificate checkpoint will present its clients. Is there something? Because even the SK above in the text says "From test host with VPN client installed and existing site created, export the following registry key value data:" 
And this is quite hard in a live environment.

Regards

 

0 Kudos
5 Replies
_Val_
Admin
Admin

It seems, you already did most of your investigative work, @electromichi3 


Funny thing, your post title is almost identical to SK you cannot find.

Look into sk66263, that's all you need.

0 Kudos
electromichi3
Explorer

Hello, 

yes as mentioned I found this article, but it is not clear for me if I change the fingerprint if I can enter just a second one in the windows registry. So the client will trust 2 fingerprints, then we migrate the certificate and then we remove the old fingerprint from the client.

I'm in need to let the user trust the old AND the new fingerprint because we cant push the registry key to all clients in the same moment where we replace the cert on the gateway

0 Kudos
_Val_
Admin
Admin

Safest is to use different site IDs, such as you described in question 2. I would also check in the lab if you can have two fingerprints for a single site. Most probably not, but worth checking.

Also, are you moving CMA to a different IP or just moving the GW to another MGMT? If former, you can keep your fingerprint.

0 Kudos
Tobias_Moritz
Advisor

Regarding to question 3: What the CP VPN client is checking here is the RfC#1751 encoded representation of the SHA-1 fingerprint of the root certificate of your VPN GW SSL certificate chain.

0 Kudos
Jacinto_Rodrigu
Explorer

Windows registry does not allow 2 of the same values in a registry key.

Working with support we were told this should work:

"--Fingerprint--"=" XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX  XXX XXXX: YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY  YYY YYYY"

Has not been tested yet, so if anyone tests, would like to hear back on results.

0 Kudos