- Products
- Learn
- Local User Groups
- Partners
- More
Firewall Uptime, Reimagined
How AIOps Simplifies Operations and Prevents Outages
Introduction to Lakera:
Securing the AI Frontier!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Good day Mates
We are currently using the Check Point Endpoint Security, and during the Site creation, we are presented with a self-signed certificate. We wish to change that to a certificate signed by a CA.
Any idea on how that could be accomplished? we are using R80.20.
Thanks in advance
Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.
You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.
Here an example from my lab:
After completing the CSR, you can choose the certificate under "VPN Client":
But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:
Why do you wish to change the CA used here exactly?
The key presented is signed by a Certificate Authority: the internal Check Point one.
As it is used for a lot of things (including VPN), the internal CA cannot be removed.
You also cannot replace the internal CA with an external one.
I know for site-to-site VPNs for third parties, you can specify which Certificate Authorities can be used for VPN.
That's done here:
To add a different trusted CA, you need to create an object for it:
Whether that works for Remote Access VPN is a separate question.
Even if you could, I don't believe it changes the end user experience at all (i.e. they'll still get prompted to validate the site certificate when they first connect).
Sure it can be changed and it is often necessary, if you have external partners connecting using a client VPN solution.
You have to first add the CAs, then create a CSR in the IPSEC VPN of the gateway.
Here an example from my lab:
After completing the CSR, you can choose the certificate under "VPN Client":
But if you have Mobile Access active and you change the certificate there on the MP daemon, you don't need this and it is also changed for VPN clients:
Hi Norbert,
Thank you for the above information, this is all very helpful. Silly question time, for the users trusting the relevant subordinate CA and CA, I assume this trust is validated using the respective CA certificates stored in the local machines Trusted Root Certification Authorities and Intermediate Certification Authorities certificate repository?
Then the remote client validates the certificate presented by the Gateway using this chain without prompting the user to trust the new/updated certificate?
That's correct to the best of my knowledge.
Hello Nobert!
I came to this forum last year and based on this discussion, I was able to gen a CSR and use a valid third-party certificate in my RA-VPN. Now I need renew my cert and form some reason, I'm getting an erro message that a similar cert is in use. I've tried different methods, but nothing seems to work.
I'm dropping a screenshot with the error for reference. Is there a way to gen a CSR without deleting the actual certificate?
You have to delete it.
Just don’t push policy until you complete the procedure.
Ok. Got it. Thanks!
if you have "mobile access" blade disabled, this setting is ignored, and it always uses the defaultCert from the internal CA...
no way to change the certificate for me... 😞
It might be that some other cert is used from another https portal.
Enabling one portal, changing certificate there and disabling it, might help.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
2 | |
2 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 | |
1 |
Tue 07 Oct 2025 @ 10:00 AM (CEST)
Cloud Architect Series: AI-Powered API Security with CloudGuard WAFThu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Thu 09 Oct 2025 @ 10:00 AM (CEST)
CheckMates Live BeLux: Discover How to Stop Data Leaks in GenAI Tools: Live Demo You Can’t Miss!Wed 22 Oct 2025 @ 11:00 AM (EDT)
Firewall Uptime, Reimagined: How AIOps Simplifies Operations and Prevents OutagesAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY