Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Silver

Changing the Certificate presented during Endpoint Security Client

Jump to solution

Good day Mates

We are currently using the Check Point Endpoint Security, and during the Site creation, we are presented with a self-signed certificate. We wish to change that to a certificate signed by a CA.

Any idea on how that could be accomplished? we are using R80.20.

Thanks in advance

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.

 

You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.

Here an example from my lab:

2020-04-06_08-00-35.png

After completing the CSR, you can choose the certificate under "VPN Client":

2020-04-06_08-00-52.png

 

 

 

 

 

 

 

 

 

 

 

But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:

2020-04-06_08-05-40.png

View solution in original post

11 Replies
Highlighted
Admin
Admin

Why do you wish to change the CA used here exactly?

The key presented is signed by a Certificate Authority: the internal Check Point one.
As it is used for a lot of things (including VPN), the internal CA cannot be removed.
You also cannot replace the internal CA with an external one.

I know for site-to-site VPNs for third parties, you can specify which Certificate Authorities can be used for VPN.
That's done here:

Screen Shot 2020-04-05 at 8.40.52 PM.png

To add a different trusted CA, you need to create an object for it:

Screen Shot 2020-04-05 at 8.44.14 PM.png

Whether that works for Remote Access VPN is a separate question. 
Even if you could, I don't believe it changes the end user experience at all (i.e. they'll still get prompted to validate the site certificate when they first connect).

0 Kudos
Highlighted

Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.

 

You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.

Here an example from my lab:

2020-04-06_08-00-35.png

After completing the CSR, you can choose the certificate under "VPN Client":

2020-04-06_08-00-52.png

 

 

 

 

 

 

 

 

 

 

 

But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:

2020-04-06_08-05-40.png

View solution in original post

Highlighted
Silver
Hi Norbert
Thanks for your help.
Could you kindly tel me how to generate a CSR in the IPSEC of the gateway?
Thanks once again
0 Kudos
Highlighted
You click add, choose the right CA (has to be imported before), then enter details like DN and SAN.
After clicking ok, you can select the line with the new certificate and click view. Then you see the CSR.
You let your CA sign the CSR and then go back to this menu and click complete and paste the cert.
0 Kudos
Highlighted
Silver
Hi Norbet
This is something I have not done before, so please where can I get the CA to be imported? and where is it imported from?
Thanks
0 Kudos
Highlighted
This was already by Phoneboy above.
Just add an object called "Trusted CA" (and Intermediate if you have Sub CAs) and import the certificate of the CA.
0 Kudos
Highlighted
Silver
Hi Norbet

I saw it thanks.
One final question, once the certificate is signed by CA, users will no longer get that Certificate Error Message when configuring VPN site right?
0 Kudos
Highlighted
Users who are trusting the relevant CA will not receive a warning...
0 Kudos
Highlighted
Silver
Hi Phoneboy
Thanks for your feedback.
Just for knowledge purposes, I would like to know which other things uses this certificate.
0 Kudos
Highlighted
If you only import for IPSEC VPN, it can only be used for VPN and Remote Access.
0 Kudos
Highlighted
Silver
Hi Norbert
Thank you very much.

It worked...
0 Kudos