This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
casgrain
Participant
‎2023-01-24 09:30 AM

Remove Access VPN: Gateway presenting wrong certificate?

Hi,

I've noticed our gateways are presenting the web certificate configured for platform portal/usercheck/saml portal instead of the one under IPSEC VPN. 

Am I missing something? From my understanding this is not the expected behavior. I've attached some screenshot in hope it'll help understand my context. 

We on R81.10 with hotfix take 81. All clients are version E84 or above. 


VPN_client.png
Preview file
28 KB
client_thumbprint.png
Preview file
95 KB
IPsec_VPN.png
Preview file
43 KB
Remote_Access.png
Preview file
30 KB
platform_portal.png
Preview file
32 KB
8 Replies
the_rock
Legend
Legend
‎2023-01-24 10:34 AM

That does not appear right. Let me check it in cusomer's environment and will update you.

0 Kudos
the_rock
Legend
Legend
‎2023-01-24 10:48 AM

Question...did you actually end up removing defaultCert that was there? I ask because you can NOT change nickname of a cert, unless new one is created. By the way, checked for another client and they have default cert there and works fine, I deleted their VPN site and created it again and get proper fingerprint. They also use another cert for web UI which is also presented correctly.

0 Kudos
casgrain
Participant
‎2023-01-24 11:07 AM
In response to the_rock

Yes it was changed a while back, on R77.30 some 4-5 years ago when it expired to what you currently see. I did renew that same cert a few weeks ago since they expired. 

Checkpoint support have seen this setting multiple times without mentioning this would be problem so I'm a bit confused... 

the_rock
Legend
Legend
‎2023-01-24 11:12 AM
In response to casgrain

Dont believe its an issue per se, but was more curious.

0 Kudos
casgrain
Participant
‎2023-03-21 09:18 AM

I have the same issue on same version. Any ideas how to resolve this? 

0 Kudos
the_rock
Legend
Legend
‎2023-03-21 09:25 AM
In response to casgrain

Whats gw, client version?

Andy

0 Kudos
LazarusG
Contributor
Contributor
‎2024-07-03 09:16 AM
In response to the_rock

I have similar. Customer had a pen test the highlighted SHA1 in the chain of certs on https://ipadrress:443. So regenerated the ICA cert with sk158096 script. ICA looks to sign with Sha256. So renewed vpn cert and pushed policy but the certificate on the web page doesn't seem to update. They have a saml portal enabled with default cert. GW and MGMT on R81.20. If I do the same process in a lab the cert changes on the web page. Been looking at sk131212, sk94965, sk152713. No idea at moment.

0 Kudos
Duane_Toler
Advisor
‎2024-07-03 12:09 PM

If you're just concerned with the fingerprint for the VPN client, then that fingerprint the one of the management server CA, not the gateway's own certificate.  This is why the fingerprint doesn't change for the clients just because the gateway's certificate is renewed by the management server.  HOWEVER... if you changed your management server certificate, then this WILL change.

I have a script I posted to the Toolbox that can decode it for you:

https://community.checkpoint.com/t5/Scripts/rfc1751-py/m-p/194975#M1130

Get this Python script, and you can run the inline "openssl s_client" command against your gateway which will get you the correct fingerprint you can verify.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top