This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Di_Junior
Advisor
Advisor
‎2020-04-03 01:09 AM
Jump to solution

Changing the Certificate presented during Endpoint Security Client

Good day Mates

We are currently using the Check Point Endpoint Security, and during the Site creation, we are presented with a self-signed certificate. We wish to change that to a certificate signed by a CA.

Any idea on how that could be accomplished? we are using R80.20.

Thanks in advance

0 Kudos
1 Solution

Accepted Solutions
Norbert_Bohusch
Advisor
‎2020-04-05 11:06 PM
In response to PhoneBoy
Jump to solution

Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.

 

You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.

Here an example from my lab:

2020-04-06_08-00-35.png

After completing the CSR, you can choose the certificate under "VPN Client":

2020-04-06_08-00-52.png

 

 

 

 

 

 

 

 

 

 

 

But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:

2020-04-06_08-05-40.png

View solution in original post

18 Replies
PhoneBoy
Admin
Admin
‎2020-04-05 08:50 PM
Jump to solution

Why do you wish to change the CA used here exactly?

The key presented is signed by a Certificate Authority: the internal Check Point one.
As it is used for a lot of things (including VPN), the internal CA cannot be removed.
You also cannot replace the internal CA with an external one.

I know for site-to-site VPNs for third parties, you can specify which Certificate Authorities can be used for VPN.
That's done here:

Screen Shot 2020-04-05 at 8.40.52 PM.png

To add a different trusted CA, you need to create an object for it:

Screen Shot 2020-04-05 at 8.44.14 PM.png

Whether that works for Remote Access VPN is a separate question. 
Even if you could, I don't believe it changes the end user experience at all (i.e. they'll still get prompted to validate the site certificate when they first connect).

0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-05 11:06 PM
In response to PhoneBoy
Jump to solution

Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.

 

You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.

Here an example from my lab:

2020-04-06_08-00-35.png

After completing the CSR, you can choose the certificate under "VPN Client":

2020-04-06_08-00-52.png

 

 

 

 

 

 

 

 

 

 

 

But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:

2020-04-06_08-05-40.png

Di_Junior
Advisor
Advisor
‎2020-04-06 12:27 AM
In response to Norbert_Bohusch
Jump to solution

Hi Norbert
Thanks for your help.
Could you kindly tel me how to generate a CSR in the IPSEC of the gateway?
Thanks once again
0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-06 12:29 AM
In response to Di_Junior
Jump to solution

You click add, choose the right CA (has to be imported before), then enter details like DN and SAN.
After clicking ok, you can select the line with the new certificate and click view. Then you see the CSR.
You let your CA sign the CSR and then go back to this menu and click complete and paste the cert.
0 Kudos
Di_Junior
Advisor
Advisor
‎2020-04-06 01:22 AM
In response to Norbert_Bohusch
Jump to solution

Hi Norbet
This is something I have not done before, so please where can I get the CA to be imported? and where is it imported from?
Thanks
0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-06 01:26 AM
In response to Di_Junior
Jump to solution

This was already by Phoneboy above.
Just add an object called "Trusted CA" (and Intermediate if you have Sub CAs) and import the certificate of the CA.
0 Kudos
Di_Junior
Advisor
Advisor
‎2020-04-06 01:59 AM
In response to Norbert_Bohusch
Jump to solution

Hi Norbet

I saw it thanks.
One final question, once the certificate is signed by CA, users will no longer get that Certificate Error Message when configuring VPN site right?
0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-06 02:03 AM
In response to Di_Junior
Jump to solution

Users who are trusting the relevant CA will not receive a warning...
0 Kudos
Leon_Noble
Explorer
‎2024-02-02 06:20 AM
In response to Norbert_Bohusch
Jump to solution

Hi Norbert,

Thank you for the above information, this is all very helpful. Silly question time, for the users trusting the relevant subordinate CA and CA, I assume this trust is validated using the respective CA certificates stored in the local machines Trusted Root Certification Authorities and Intermediate Certification Authorities certificate repository?

Then the remote client validates the certificate presented by the Gateway using this chain without prompting the user to trust the new/updated certificate?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-08 03:19 PM
In response to Leon_Noble
Jump to solution

That's correct to the best of my knowledge.

0 Kudos
brunoobr
Explorer
‎2023-11-13 12:19 PM
In response to Norbert_Bohusch
Jump to solution

Hello Nobert!

 

I came to this forum last year and based on this discussion, I was able to gen a CSR and use a valid third-party certificate in my RA-VPN. Now I need renew my cert and form some reason, I'm getting an erro message that a similar cert is in use. I've tried different methods, but nothing seems to work.

I'm dropping a screenshot with the error for reference. Is there a way to gen a CSR without deleting the actual certificate?

 

Preview file
66 KB
0 Kudos
Norbert_Bohusch
Advisor
‎2023-11-13 12:38 PM
In response to brunoobr
Jump to solution

You have to delete it.

Just don’t push policy until you complete the procedure.

0 Kudos
(1)
brunoobr
Explorer
‎2023-11-13 12:40 PM
In response to Norbert_Bohusch
Jump to solution

Ok. Got it. Thanks!

0 Kudos
Di_Junior
Advisor
Advisor
‎2020-04-06 03:56 AM
In response to PhoneBoy
Jump to solution

Hi Phoneboy
Thanks for your feedback.
Just for knowledge purposes, I would like to know which other things uses this certificate.
0 Kudos
Norbert_Bohusch
Advisor
‎2020-04-06 03:57 AM
In response to Di_Junior
Jump to solution

If you only import for IPSEC VPN, it can only be used for VPN and Remote Access.
0 Kudos
Di_Junior
Advisor
Advisor
‎2020-04-08 04:39 AM
In response to Norbert_Bohusch
Jump to solution

Hi Norbert
Thank you very much.

It worked...
0 Kudos
GHaider
Contributor
‎2020-12-16 10:08 AM
Jump to solution

if you have "mobile access" blade disabled, this setting is ignored, and it always uses the defaultCert from the internal CA... 

Screenshot 2020-12-16 190433.jpg

no way to change the certificate for me... 😞

0 Kudos
Norbert_Bohusch
Advisor
‎2020-12-17 12:47 AM
In response to GHaider
Jump to solution

It might be that some other cert is used from another https portal.

Enabling one portal, changing certificate there and disabling it, might help.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events