Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RS_Daniel
Advisor

External CA certificate authentication

Hello community!

I wanted to ask some doubts we are facing during the re-design of remote access service with one customer. The goal is to provide MFA. One factor is RADIUS and working fine, This is a cluster of 2 X 1800 on R81.10.08 centrally managed, mgmt version is R81.20 jumbo 41. 

For the other factor we are trying certificates. With certs created from the mgmt it works perfectly, but customer needs to use certificates from an existing CA (it is not the AD). The certificates are already deployed on the clients, but when we try to use that cert we get an error certificate invalid on the client, and logs on mgmt show "OCSP: could not connect to server. Make sure the server is up and running."

We already have created CA and subCA objects on mgmt, also i can see traffic on port 80 from the gateway to the CA server, i think trying to validate the cert.

Is it mandatory to use OSCP to validate certificates from the CA? or we have other options?

The cert CN is username@domain, is there any configuration to make the gateway only reads the username portion?

 is there anything else we should do on checkpoint side? customer already asked the CA admin to check if OSCP is enabled on the server, but wanted to see if i am missing something.

Regards

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Whenever certificates are used, either CRL or OSCP must be used to validate the certificates, regardless of source.
The exact URL that is used to do this (listed in the certificate itself) must be accessible to all parties involved.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events