Maybe best to get an official TAC answer, but this is what AI gives.
***************************
Before I outline the steps, a caveat: “Gen2 SSL certificates” is somewhat ambiguous (could refer to a newer generation / version of certs, or a specific vendor’s “Gen2” type). The instructions below assume “Gen2 SSL certificate” behaves like a standard X.509 user certificate / CA‐issued certificate chain, usable for VPN / client authentication. Adjust as needed to your specific “Gen2” setup.
Here’s a general outline of what the user must do on a Windows 11 client (end user system) so that the Check Point / Capsule VPN can use the SSL / certificate-based authentication. (These steps assume the server / gateway side is already configured properly to accept certificate auth.)
High-level prerequisites (on server / PKI / policy side)
Before the end user actions, the following must already be in place (by the VPN / network / security team):
-
A CA issues “Gen2 SSL certificates” (or the appropriate user certificates) that are trusted by the VPN server / gateway.
-
The VPN gateway / Check Point appliance has the root / intermediate CA certificates in its trusted store so it can validate user certificates.
-
The VPN gateway’s configuration (in SmartConsole / SmartDashboard or equivalent) is set to allow certificate authentication (or EAP-TLS / client certificate mode) for the VPN (Capsule / mobile VPN) service.
-
The server/gateway has generated a CSR (if needed) and installed its server certificate (so the client can trust the server certificate). (knowledge.digicert.com)
-
The server policy is pushed, and the gateway is ready to validate connecting clients’ certificates.
Once that infrastructure is ready, the user steps on Windows 11 are as follows.
Steps on Windows 11 (end user side)
Below is a recommended sequence. Depending on your environment (e.g. via Intune, group policy, manual install, or certificate auto-enrollment), some steps may be automated or differ slightly.
| Step |
Description |
Notes / Tips |
| 1 |
Obtain the client certificate (and key) |
The user (or device) needs a certificate & private key. This might be delivered via: • A PFX / PKCS#12 file (.p12 / .pfx) • Auto-enrollment via your organization’s PKI (SCEP, AD CS, Intune, etc.) • Certificate enrollment portal • Smartcard / hardware token • An MDM/endpoint management push |
| 2 |
Import the certificate into the Windows certificate store |
Use Microsoft Management Console (mmc) or certmgr to import the PFX / certificate + key into the “Personal” / “My” certificate store (Current User). Ensure private key has the correct permissions for usage. |
| 3 |
Ensure the root / intermediate CA certs are trusted |
The root and intermediate CAs that issued the user’s certificate must be in the Trusted Root Certification Authorities and Intermediate Certification Authorities stores (Current User or Local Computer) so Windows and the VPN client trust it. |
| 4 |
Install / configure the Capsule VPN client (if not already installed) |
Download and install the Check Point / Capsule VPN / Mobile VPN client for Windows (as provided by your IT / service desk). For Windows 11, the client must support certificate authentication. |
| 5 |
Configure a VPN site / profile with certificate authentication |
In the VPN client setup: • Specify the VPN gateway hostname / address • Choose Certificate (or “Client Certificate / Certificate-based auth”) as the authentication method instead of username/password • Select which certificate (from store) to use (if the client prompts) • Optionally specify if “Always On” or “automatic connect” behavior is desired • (Optional) specify whether all traffic goes through the VPN or only selected subnets |
| 6 |
Validate / accept the server’s SSL certificate / fingerprint |
On first connection, the client may present the server’s certificate or fingerprint and ask the user to accept/trust it. The user should verify that the certificate / fingerprint matches what IT has provided. (This step prevents a man-in-the-middle or untrusted server.) |
| 7 |
Initiate the VPN connection |
Use the client’s “Connect” operation. The client will present the user certificate to the server, the server will validate it (checking certificate chain, revocation, allowed users) and allow connection if valid. |
| 8 |
Troubleshoot / validate |
If connection fails, check: • Certificate validity (expiration, revoked, correct usage) • Certificate chain / trust chain • Private key presence and permissions • That the gateway is configured to accept your certificate • Logs on the client / server for authentication failures • That the certificate has the required key usage / extended key usage (EKU) for client auth (e.g. Client Authentication usage) • That the certificate supports signing / digital signature (if required) (RSA Community) |
Example / Extra Context: Using Capsule with certificate auth via Intune (or managed deployment)
To streamline the above, many organizations push the VPN configuration via Intune or MDM and also auto-enroll the certificate. For example:
-
Use a SCEP profile or PKCS certificate profile in Intune to auto-enroll the user or device certificate.
-
Use a VPN configuration profile (of type “Check Point / Capsule”) in Intune, specifying certificate authentication (and specifying which certificate / certificate store to use).
-
The client then gets the VPN configuration and the certificate without manual steps for the end user.
-
One user on Reddit reported that in their environment, the first connection still prompted the certificate selection manually unless special configuration or PowerShell scripts are used. (Reddit)
-
Also, Check Point documentation suggests there are specialized support articles / PowerShell commands for automating the certificate selection in Capsule for Windows. (E.g. see Support SK107535) (Reddit)
Best,
Andy
