This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Prasaddere
Contributor
3 weeks ago
Jump to solution

How to prevent Untrusted Certificate warning message in checkpoint capsule connect

Hello,

We have deployed new remote access VPN. Where we implemented vpn Client on Mobiles (Checkpoint Capsule connect) but we are getting certificate warning to Trust and Continue. So How to prevent Untrusted Certificate warning message on mobile Phone (checkpoint capsule connect)

0 Kudos
1 Solution

Accepted Solutions
Prasaddere
Contributor
2 weeks ago
In response to PhoneBoy
Jump to solution

Hello Team,

We have resolved the issue. For Certificate authetication, there was no issue as we have internal PKI certificate attached in Ipsec VPN. We had issue when creating new site in application that was giving trust message with fingerprint. For which we followed below in Mobile blade portal setting certificate.

we had to put the external certificate but digicert was giving only domain name cert so we had to combine this certificate with intermediate and root Certificate, then we created p12 cert which we uploaded Mobile blade portal setting, then trust warning message, gone. It is not asking while crating site.

Thanks all for your support.

View solution in original post

(1)
16 Replies
AkosBakos
Leader Leader
Leader
3 weeks ago
Jump to solution

Hi @Prasaddere 

Can you share a screenshot of the message?

My first 2 idea for solution.

1:

Use 3rd party certificate. Choose one that its root is installed in the Trusted Root Certificate store on the device.
(eg.:DigiCert)

2:

Install the Check Point's root and issuer certificate onto the devices. 

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
the_rock
Legend
Legend
3 weeks ago
Jump to solution

I see what Akos is saying. But, first, screenshot would certainly help. Just blur out any sensitive data, please.

Andy

0 Kudos
Prasaddere
Contributor
3 weeks ago
In response to the_rock
Jump to solution

Attached screenshot. we have already deployed certificate from internal CA for Mobile blade portal and different certificate for IPSec Client including all root and subordinate CA. Still getting the attached message for certificate trust first time which we need to avoid. 

Same we had issue on Windows laptop but we solution to add fingerprint in Windows registry. which we have added. Issue is only with now on Mobile phone.

Preview file
89 KB
0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
Jump to solution

Pretty sure you need to deploy the ICA CA certificate to the mobile device as "trusted."
This either has to be done via MDM or manually.

0 Kudos
Prasaddere
Contributor
3 weeks ago
In response to PhoneBoy
Jump to solution

Certificate from internal CA already added in root CA as well issuing CA. Also server certificate attahed on IPsec client. as seperate CSR generated for mobile against which we got another certificate P12 which we import on mobile portal.

0 Kudos
AkosBakos
Leader Leader
Leader
3 weeks ago
In response to Prasaddere
Jump to solution

Hi,

To be sure, when you accepted the cert and check the certificate chain, everything looks normal?

If you use MDM only one certificate store exists on the device?

Akos

----------------
\m/_(>_<)_\m/
0 Kudos
Prasaddere
Contributor
2 weeks ago
In response to AkosBakos
Jump to solution

we have tried with the public certificate but there same trust message is coming first time when creating the site.

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Prasaddere
Jump to solution

Is it same issue if user deletes/re-creates the site?

Andy

0 Kudos
Prasaddere
Contributor
2 weeks ago
In response to the_rock
Jump to solution

Yes, it is the same issue.

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Prasaddere
Jump to solution

Did you end up opening TAC case?

Andy

0 Kudos
Prasaddere
Contributor
2 weeks ago
In response to the_rock
Jump to solution

You can say, yes, IND TAC seems do not have expertise, Our many case going month on month with resolutions only asking for logs. lot of delay in response. 

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to Prasaddere
Jump to solution

I suppose you can always get in touch with your local SE and tell them about it or ask for it to be escalated.

Andy

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Prasaddere
Jump to solution

Are you sure that:

  • The gateway is sending the correct certificate? image.pngimage.png
  • The client is actually set to trust certificates signed by the relevant CA and sub-CA(s)? Please provides screenshots from the mobile client(s) showing the same certificate(s) shown in the above as trusted.

Also what mobile device(s) are you having this issue with?

 

0 Kudos
Prasaddere
Contributor
2 weeks ago
In response to PhoneBoy
Jump to solution

Hello Team,

We have resolved the issue. For Certificate authetication, there was no issue as we have internal PKI certificate attached in Ipsec VPN. We had issue when creating new site in application that was giving trust message with fingerprint. For which we followed below in Mobile blade portal setting certificate.

we had to put the external certificate but digicert was giving only domain name cert so we had to combine this certificate with intermediate and root Certificate, then we created p12 cert which we uploaded Mobile blade portal setting, then trust warning message, gone. It is not asking while crating site.

Thanks all for your support.

(1)
the_rock
Legend
Legend
2 weeks ago
In response to Prasaddere
Jump to solution

Great job, thanks for letting us know!

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to Prasaddere
Jump to solution

That's pretty much standard operating procedure for anything related to certificates.
That means your p12 file should (also) contain root and intermediate CA(s). 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events