This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_Jensen
Advisor
‎2019-02-12 12:45 PM

Remote Access VPN Certificate

I have a Check Point cluster that has remote access turned on for remote access VPN use.  The certificate that secure remote access is using has been found to be using a weak hashing algorithm and/or a RSA key less than 2048 bits.

 

I am in need of correcting this and have not been able to find a way to make remote access use a different certificate without possibly breaking SIC or my point to point VPN connections.

 

When I go into the gateway cluster properties > VPN Clients - I see that "defaultCert" is selected but have not been successful in finding a way to add a new and more secure certificate.

 

I see there are options in Global Properties from the file / launch menu but am hesitant to change anything in there.

 

 

Can anyone assist?  Thank you.

Preview file
22 KB
9 Replies
Rafal_N
Contributor
‎2019-02-13 04:03 AM

Hello,

Try to add it on IPSec VPN tab. Then you should be able change it for VPN Clients.

R

Mike_Jensen
Advisor
‎2019-02-13 05:50 AM
In response to Rafal_N

Hello,

In the IPSEC options in Gateway Cluster Properties I click on "Add" > enter a certificate name > click " Generate" > and then I receive an error stating "Cannot generate certificate from "internal_ca" Certificate Authority because MY_CLUSTER_NAME already has a certificate generated by "internal_ca" Certificate Authority.

0 Kudos
Jerry
Leader
Leader
‎2019-02-13 06:33 AM

all you need really is a p12/capi certificate which can be generated from users group under SmartConsole.

that's all.

Jerry
Mike_Jensen
Advisor
‎2019-02-13 06:46 AM
In response to Jerry

Hi Jerry,

I don't know what a p12/capi certificate is.  The certificate I am trying to replace is the server certificate, not the user or laptop certificates(s).

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-13 07:11 PM

The local VPN certificate is actually signed by the Internal CA.

Assuming the remote end is configured to trust certificates signed by the ICA, then replacing the certificate should only involve minimal disruption.

However, the existing VPN certificate must be revoked first.

Mike_Jensen
Advisor
‎2019-02-14 08:07 AM
In response to PhoneBoy

Hi Dameon,

What you are describing is exactly what I need to do, I just don't know how to to do it and can't find instructions.  I am also cautious as I don't want to inadvertently revoke a cert that is used for SIC.

Are you able to point me in the right direction or coach me on how to revoke this VPN cert and generate a new one?

Thank you!

0 Kudos
PhoneBoy
Admin
Admin
‎2019-02-14 01:20 PM
In response to Mike_Jensen

Yeah, I'm having a little trouble figuring that one out as well Smiley Happy

What happens if you merely "renew" the certificate? 

This should generate you a new certificate and you can review the number of bits to ensure it's correct.

I believe this will require a policy installation to take effect.

Otherwise, I suggest consulting with the TAC.

How To Open a Case with TAC and/or Account Services

lbcadenco10
Contributor
‎2020-07-20 01:21 PM
In response to Mike_Jensen

In case anyone comes across this post, here is the SK to increase the key size and renew the VPN cert

 

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Jeff_Gao
Advisor
‎2020-08-04 07:12 AM
In response to lbcadenco10

Dear
I have completed all certificate-base remote access vpn,but it prompt below:

unknow user.png

 "Connection Failed:User Email=jeff.gao@example.com,CN=Jeff.gao,OU=IT,DC=example,DC=cn unknow"

I can not search the example from sk or google

GW:R80.30 and take 214

CA:windows server 2019 and together with AD

client:Non-join-AD and trust CA root cert