Hello, 

yes as mentioned I found this article, but it is not clear for me if I change the fingerprint if I can enter just a second one in the windows registry. So the client will trust 2 fingerprints, then we migrate the certificate and then we remove the old fingerprint from the client.

I'm in need to let the user trust the old AND the new fingerprint because we cant push the registry key to all clients in the same moment where we replace the cert on the gateway

Safest is to use different site IDs, such as you described in question 2. I would also check in the lab if you can have two fingerprints for a single site. Most probably not, but worth checking.

Also, are you moving CMA to a different IP or just moving the GW to another MGMT? If former, you can keep your fingerprint.

@Jacinto_Rodrigu  - did you ever get a chance to test this to see if it works.

Also, I know that CP uses the RFC 1751 to create the fingerprint in human text, but do they have a tool to determine the fingerprint without installing/replacing the current certificate on a gateway?

Also, do they plan to make it easier to manage the SSL cert for the MAB?  With browsers all enforcing a max validity of 397 days, it means a lot more frequent update of the certificate than in the past, and it's a very manual process with about a dozen steps just to get a proper wildcard cert for a single gateway.

Regarding "Also, I know that CP uses the RFC 1751 to create the fingerprint in human text, but do they have a tool to determine the fingerprint without installing/replacing the current certificate on a gateway?":

--> Maybe, I've never found one. So I used the C code from that RfC, compiled it and used it for converting in both directions. Please take care to use the SHA-1 fingerprint of the root certificate of your VPN GW SSL certificate chain. Not the fingerprint from the actual server certificate or any of the intermediate ones.

$ ./rfc_1751.exe "f9:02:bc:09:9a:9e:58:dc:28:6f:f6:4c:54:dd:71:e0:cf:29:f2:30"
Output: WEAN GAM ANT PRY SURF CURL MEW FEUD HALO LAIR SAUL TUBA
$ ./rfc_1751.exe "WEAN GAM ANT PRY SURF CURL MEW FEUD HALO LAIR SAUL TUBA"
Output: F9:02:BC:09:9A:9E:58:DC:28:6F:F6:4C:54:DD:71:E0

Back in R77 days, I remember it was possible to import the new certificate in SmartDashboard, NOT clicking ok or save, than copy the new fingerprint it shows to you, and than click cancel. Never tried this with R80+ and SmartConsole, maybe it is still working this way.

And as CP is only checking fingerprint of Root CA, there is no need to update trust on clients when you stay with that Root CA while changing server cert every year.

That's what I thought, and I just confirmed that I have the same fingerprint on my two clusters that have the same Root CA.  We must have switches Root CAs or the CA must have updated their Root certificate path the last time we renewed as it changed on us and we had to scramble to push out a registry edit to all client so that users didn't get the prompt.

How is everyone handling the need to renew a wildcard certificate every year with the new browser changes introduced over the past year forcing CAs to limit validity to 397 days?  Any done any automation or use any 3rd party certificate management tools to help with this process?

Just an update to myself.  It's not the fingerprint of the Root CA, it's the CA that issued the certificate.  So if you are using a traditional public CA that has a 2 tier hierarchy, it's the intermediate CA fingerprint that it used.

DigiCert Global Root CA

--> GeoTrust RSA CA 2018

      ---> portal.example.com

So in that example, it's the fingerprint on GeoTrust RSA CA 2018 that is used by the client for verification.

Could you please double check that?

In all the years I've doing this, it was always the fingerprint of the Root CA, never the one of the issuing CA or any other intermediate CA.

I've even checked some environments this morning, its always the fingerprint of the Root CA which is shown.

I did double-check. 

The fingerprint shown from SmartConsole for the MAB certificate:

And the fingerprints for the Root CA and Subordinate CA (from SmartConsole, via the View option):

Even worse, the fingerprint that the SNX client shows appears to be the fingerprint of the actual certificate, not the Intermediate or the Root CA as is used by the Endpoint Security client.

I just confirmed this on my SNX install.  The fingerprint that the user is prompted to trust (or update every time the SSL certificate is updated) is from the actual SSL Server certificate, not the Intermediate or the Root CA.

Very confusing and hard to tell which fingerprint the user will see.  Check Point needs an SK for this sort of information, so that it's clear which certificate fingerprint is used in which situation.

Just tested and it works! Even with more than two fingerprints...
But be careful not to have any blanks around the ":", at the beginning or the end.

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\vpn.acme.com]
"--Fingerprint--"="XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX XXX XXXX:YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY YYY YYYY"

Attention no space in between the colon and the 2nd fingerprint !!!

"--Fingerprint--"="XXXX XXXX XXXX XXXX XXXX XXXX:YYYY YYYY YYYY YYYY YYYY YYYY"