Solved: Re: IPSec VPN certificate

abihsot__ · ‎2021-08-09

Hi there,

I wanted to upload 3rd party certificate to the gateway, however the only option is to use "add" button, which in turn would generate private key, CSR and will wait for me to come back with signed certificate and do "complete".

It all would be fine, however I want to upload the same certificate on multiple gateways. I see "export P12", so I assume there is a hidden way to "import P12"?

PhoneBoy · ‎2022-10-21

That SK talks about exporting the certificate.
The question is about importing an existing certificate with a private key for IPsec VPN, which is not supported or best practice.
If you generate a new certificate using the same Certificate Authority as the previous certificate, it should work without difficulty.

View solution in original post

PhoneBoy · ‎2021-08-09

Don’t believe you can or should use the same certificate on multiple gateways.

abihsot__ · ‎2021-08-09

I understand your concerns, but there might be cases where it could be beneficial.

I assume "export P12" button is for making backup of certificate + private key, however what is the purpose of such backup if you can't import it?

PhoneBoy · ‎2021-08-09

I believe that is for the public Certificate Authority key, not the gateway certificate.

Yuber_Sierra_av · ‎2022-10-11

Hello @PhoneBoy,

I'm worndering the same as @abihsot__ , in my case I'm replacing old Cluster to new gateway models, so, I need to import the IPSec VPN Certificate which resides in the SMS, but there is no such option to Import the certificate to the new Cluster.

Thank you.

Aaron_Vivadelli · ‎2022-10-21

Try this one.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

PhoneBoy · ‎2022-10-21

That SK talks about exporting the certificate.
The question is about importing an existing certificate with a private key for IPsec VPN, which is not supported or best practice.
If you generate a new certificate using the same Certificate Authority as the previous certificate, it should work without difficulty.

Fiqri_kurniawan · ‎2024-04-02

Hello Mr. PhoneBoy,

Does the certificate affect for VPN Site 2 site? Or only for VPN Client Remote Access

Thanks

Aaron_Vivadelli · ‎2024-04-03

It would affect both client to site and site to site, however unless you have site to site VPN tunnels between 2 check point gateways you manage from the same sms, your site to site vpn is most likely using pre shared key instead of certificates.

If you do have site to site VPNs between Check Point gateways managed by the same sms, you just need to install policy to all the other gateways the gateway in question has a vpn to do they are aware of the new cert as well.

In my experience, this change usually has more of an effect on client to site, but it can have an effect if your site to site VPNs use certificates rather than PSK.

ivdolbnia · ‎2023-02-28

I see many requests like that online. Also I am facing the similar situation - ability to export/import existing certificate is crucial for proper operational management of the devices. Once we want to swap/replace device or virtual appliance - we need to configure everything from scratch automatically (migrate doesn't work in our case) - I can do everything through API, but we NEED to export/import VPN certificates for our tunnels - otherwise we need to go through very complicated process with CSR (basically fly to another country to get it on CD as this is security requirement). How can we proceed with such feature being added?

_Val_ · ‎2023-03-01

Backup and restore should cover replacement in most cases. As @PhoneBoy mentioned already, there is a reason it is hard or even impossible to extract a certificate with a private key. It is done for very serious security reasons.

For VPN purposes, you can actually generate a new certificate from a trusted CA. That should not affect tunnel functionalities. As long as VPN peers trust certificates from the other side, you should be fine.

RamGuy239 · ‎2023-03-01

Third-party VPN certificates have always been rather tedious on Check Point. First, you must create a Trusted CA, then a subordinate CA to get the entire chain trusted on your management server. Then you have to create the CSR based on this, get it signed, and then import and have it trusted.

I don't think you can utilise the same certificate on multiple gateways, as you will have to start with a new CSR per gateway/cluster.

This process is much easier and seamless with the Mobile Access blade enabled. In Mobile Access, you can simply import .p12 directly without jumping through all the other hoops:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont...

But I'm not entirely sure if the certificate you import into the Mobile Access portal will be available to choose as a certificate for Site-2-Site IPsec VPN. When you jump through the hoops not using Mobile Access, your certificate will be available for Site-2-Site IPsec VPN and Remote Access. Not entirely sure if that is the case when using Mobile Access or if it will be available for Remote Access only.

Certifications: CCSA, CCSE, CCSM, CCSM ELITE, CCTA, CCTE, CCVS, CCME

PhoneBoy · ‎2023-03-01

Pretty sure this will not impact anything for Site-to-Site VPN or Remote Access VPN clients that aren't SNX.
We need the Certificate Authorities explicitly defined (the root and any subordinates) in order to correctly verify the certificates in use are still valid.

Are you a member of CheckMates?

IPSec VPN certificate