Bring Your CloudMates!
CheckMates Go:
The Truth is in the Middle
Join the Premier Event for
Securing Users & Access
Ultimate Guide to
Remote Workforce Security
History, Evolution & Future of Social Engineering
Live Webinar with Maya Horowitz
End of Support Policy Update
For R80.10 Release
Hello Guys,
I'm in need to change the Certificate which is represented to the Clients for Remote Access.
As far as I Understand, Checkpoint presents the Fingerprint of the Root CA of the VPN Certificate so the client dont have issues when Certificates are exchanged if they come from the same CA.
Unfortunately we are moving from one CA to another and this is not clearly for me. Also not in SK: Avoiding VPN / SNX client fingerprint message when changing certificate or connecting to a backup si...
We have "vpn.corp.com" as CN/DNS. So I digged already into the registry of my clients and there as mentioned a respective fingerprint for my VPN Infrastructure.
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\vpn.corp.com]
"--Fingerprint--"=" XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX XXX XXXX"
1. Question: Can I assign more then one Fingerprint in the Registry ? So we have an entry for our "vpn.corp.com" and there is currently one Fingerprint. Can I enter the second (new one) to and it will work? Is there an SK for this?
So it will look like:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\vpn.corp.com]
"--Fingerprint--"=" XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX XXX XXXX"
"--Fingerprint--"=" YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY YYY YYYY"
2. Question: If the 1. is not a viable option will I be forced to create a new DNS Entry (for example remote.corp.com) to prepare the registry? And also reflect this in the new certificate ?
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\accepted_cn\remote.corp.com]
"--Fingerprint--"=" YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY YYY YYYY"
3. Question: I did not find the SK where it is cleary mentioned which fingerprint of which certificate checkpoint will present its clients. Is there something? Because even the SK above in the text says "From test host with VPN client installed and existing site created, export the following registry key value data:"
And this is quite hard in a live environment.
Regards
_Val_
It seems, you already did most of your investigative work, @electromichi3
Funny thing, your post title is almost identical to SK you cannot find.
Look into sk66263, that's all you need.
Hello,
yes as mentioned I found this article, but it is not clear for me if I change the fingerprint if I can enter just a second one in the windows registry. So the client will trust 2 fingerprints, then we migrate the certificate and then we remove the old fingerprint from the client.
I'm in need to let the user trust the old AND the new fingerprint because we cant push the registry key to all clients in the same moment where we replace the cert on the gateway
_Val_
Safest is to use different site IDs, such as you described in question 2. I would also check in the lab if you can have two fingerprints for a single site. Most probably not, but worth checking.
Also, are you moving CMA to a different IP or just moving the GW to another MGMT? If former, you can keep your fingerprint.
Regarding to question 3: What the CP VPN client is checking here is the RfC#1751 encoded representation of the SHA-1 fingerprint of the root certificate of your VPN GW SSL certificate chain.
Windows registry does not allow 2 of the same values in a registry key.
Working with support we were told this should work:
"--Fingerprint--"=" XXXX XXX XXX XXX XXXX XXX XXXX XXXX XXX XXXX XXX XXXX: YYYY YYY YYY YYY YYYY YYY YYYY YYYY YYY YYYY YYY YYYY"
Has not been tested yet, so if anyone tests, would like to hear back on results.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY