This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PJ_WONG
Contributor
‎2025-02-27 12:52 AM
Jump to solution

Query on using Registration Key to enroll remote access certificate

Hi Checkmates,


I am testing on using the registration key for Certificate Enrolment, so that I can distribute the VPN certificates to user using registration key.

However I got message that the enrolment failed.. But if I download the certificate manually then everything works fine.

Am I missing out something to use registration key for enrolment? I have attached the images for reference, appreciate any advise on this.

 

Thank you.

Preview file
68 KB
Preview file
35 KB
Preview file
49 KB
0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Platinum
MVP Platinum
‎2025-02-27 07:00 PM
In response to PJ_WONG
Jump to solution

Does it happen on every machine? Maybe try E88.62 client as a test. Though, based on those messages you sent, appears its communication to the gateway thats failing. Do you see any logs about this in smart console?

Andy

Best,
Andy

View solution in original post

0 Kudos
ccsjnw
Contributor
5 hours ago
Jump to solution

I worked through this very problem only yesterday!

It's a permission problem. Standard Windows Users (without Administrative permissions have this problem) - but there is an easy solution 😀.

When you do the Certificate Enrolment on the client machine, it actually tries to install two certificates not one - but you have no visibility of this...

The user's specific certificate with its private key can be enrolled into the the User's Personal Certificate Store in Windows (with standard user permissions) without any problem, but the corresponding Issuing Certificate from your Firewall Manager also needs to be located in the Trusted Root Certification Authorities Store on your computer. The certificate enrolment process tries to install the certificate if it doesn't exist, but the process fails if you don't have Administrative permissions on the computer.

The solution is to use Group Policy to pre-distribute the Issuing Certificate to the Trusted Root Certification Authorities Store on all the relevant computers in your domain (for example all your laptop computers):

Required GPO settings:
GPO.jpg

When you create the GPO, you just need a copy of the required certificate (you can copy it from an already working computer in .cer format). The certificate becomes embedded as part of the GPO object.

After the computers refresh Group Policy, they now have the required certificate located in Trusted Root Certification Authorities Store. Because the valid certificate is now already located on the computer, when you perform certificate enrolment process, it will now work without error.

 

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2025-02-27 09:24 AM
Jump to solution

What version/JHF of gateway?
What client version?
Did you pull the client logs to see if there any clues there?

0 Kudos
PJ_WONG
Contributor
‎2025-02-27 06:47 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

I am using R81.10 JHF 150 in my lab.

The client version is E88.50 Build 98105707

I can see this error in logs:

[TrGUI] EnrollCBFunc: callback called with error code -4 , (Remote Access VPN could not establish connection with Internal CA.
Enter the server IP or server name and try again.

The firewall policy is allow any traffic, and I can ping it, is additional settings needed?


Thanks,
PJ
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-02-27 07:00 PM
In response to PJ_WONG
Jump to solution

Does it happen on every machine? Maybe try E88.62 client as a test. Though, based on those messages you sent, appears its communication to the gateway thats failing. Do you see any logs about this in smart console?

Andy

Best,
Andy
0 Kudos
PJ_WONG
Contributor
‎2025-02-27 08:15 PM
In response to the_rock
Jump to solution

Hi Andy,


Am able to connect with E88.62 client, appreciate your suggestion on this.

Didn't suspect it is a version issue as the key enrolment should be a basic function..

 

 

Thanks,

PJ

the_rock
MVP Platinum
MVP Platinum
‎2025-02-27 08:19 PM
In response to PJ_WONG
Jump to solution

Glad we can help. Yea, always something to consider with endpoint clients, for sure.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-28 08:46 AM
In response to PJ_WONG
Jump to solution

Key Enrollment has been there for quite some time.
Not sure what in E88.50 causes issues with it, but glad the latest version is working.

0 Kudos
ccsjnw
Contributor
5 hours ago
Jump to solution

I worked through this very problem only yesterday!

It's a permission problem. Standard Windows Users (without Administrative permissions have this problem) - but there is an easy solution 😀.

When you do the Certificate Enrolment on the client machine, it actually tries to install two certificates not one - but you have no visibility of this...

The user's specific certificate with its private key can be enrolled into the the User's Personal Certificate Store in Windows (with standard user permissions) without any problem, but the corresponding Issuing Certificate from your Firewall Manager also needs to be located in the Trusted Root Certification Authorities Store on your computer. The certificate enrolment process tries to install the certificate if it doesn't exist, but the process fails if you don't have Administrative permissions on the computer.

The solution is to use Group Policy to pre-distribute the Issuing Certificate to the Trusted Root Certification Authorities Store on all the relevant computers in your domain (for example all your laptop computers):

Required GPO settings:
GPO.jpg

When you create the GPO, you just need a copy of the required certificate (you can copy it from an already working computer in .cer format). The certificate becomes embedded as part of the GPO object.

After the computers refresh Group Policy, they now have the required certificate located in Trusted Root Certification Authorities Store. Because the valid certificate is now already located on the computer, when you perform certificate enrolment process, it will now work without error.

 

the_rock
MVP Platinum
MVP Platinum
5 hours ago
In response to ccsjnw
Jump to solution

Great job!

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events