This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RS_Daniel
Advisor
‎2024-02-29 04:57 AM

External CA certificate authentication

Hello community!

I wanted to ask some doubts we are facing during the re-design of remote access service with one customer. The goal is to provide MFA. One factor is RADIUS and working fine, This is a cluster of 2 X 1800 on R81.10.08 centrally managed, mgmt version is R81.20 jumbo 41. 

For the other factor we are trying certificates. With certs created from the mgmt it works perfectly, but customer needs to use certificates from an existing CA (it is not the AD). The certificates are already deployed on the clients, but when we try to use that cert we get an error certificate invalid on the client, and logs on mgmt show "OCSP: could not connect to server. Make sure the server is up and running."

We already have created CA and subCA objects on mgmt, also i can see traffic on port 80 from the gateway to the CA server, i think trying to validate the cert.

Is it mandatory to use OSCP to validate certificates from the CA? or we have other options?

The cert CN is username@domain, is there any configuration to make the gateway only reads the username portion?

 is there anything else we should do on checkpoint side? customer already asked the CA admin to check if OSCP is enabled on the server, but wanted to see if i am missing something.

Regards

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2024-03-11 11:03 AM

Whenever certificates are used, either CRL or OSCP must be used to validate the certificates, regardless of source.
The exact URL that is used to do this (listed in the certificate itself) must be accessible to all parties involved.

0 Kudos
rbeck-TMWA
Explorer
‎2024-04-22 10:53 AM
In response to PhoneBoy

But why is my client trying to validate OCSP now when it did not before? This was being handled by the server.

0 Kudos
rbeck-TMWA
Explorer
‎2024-04-22 11:26 AM
In response to PhoneBoy

Disregard my last reply

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events