Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
casgrain
Participant

Remove Access VPN: Gateway presenting wrong certificate?

Hi,

I've noticed our gateways are presenting the web certificate configured for platform portal/usercheck/saml portal instead of the one under IPSEC VPN. 

Am I missing something? From my understanding this is not the expected behavior. I've attached some screenshot in hope it'll help understand my context. 

We on R81.10 with hotfix take 81. All clients are version E84 or above. 


8 Replies
the_rock
Legend
Legend

That does not appear right. Let me check it in cusomer's environment and will update you.

0 Kudos
the_rock
Legend
Legend

Question...did you actually end up removing defaultCert that was there? I ask because you can NOT change nickname of a cert, unless new one is created. By the way, checked for another client and they have default cert there and works fine, I deleted their VPN site and created it again and get proper fingerprint. They also use another cert for web UI which is also presented correctly.

0 Kudos
casgrain
Participant

Yes it was changed a while back, on R77.30 some 4-5 years ago when it expired to what you currently see. I did renew that same cert a few weeks ago since they expired. 

Checkpoint support have seen this setting multiple times without mentioning this would be problem so I'm a bit confused... 

the_rock
Legend
Legend

Dont believe its an issue per se, but was more curious.

0 Kudos
casgrain
Participant

I have the same issue on same version. Any ideas how to resolve this? 

0 Kudos
the_rock
Legend
Legend

Whats gw, client version?

Andy

0 Kudos
LazarusG
Contributor
Contributor

I have similar. Customer had a pen test the highlighted SHA1 in the chain of certs on https://ipadrress:443. So regenerated the ICA cert with sk158096 script. ICA looks to sign with Sha256. So renewed vpn cert and pushed policy but the certificate on the web page doesn't seem to update. They have a saml portal enabled with default cert. GW and MGMT on R81.20. If I do the same process in a lab the cert changes on the web page. Been looking at sk131212, sk94965, sk152713. No idea at moment.

0 Kudos
Duane_Toler
Advisor

If you're just concerned with the fingerprint for the VPN client, then that fingerprint the one of the management server CA, not the gateway's own certificate.  This is why the fingerprint doesn't change for the clients just because the gateway's certificate is renewed by the management server.  HOWEVER... if you changed your management server certificate, then this WILL change.

I have a script I posted to the Toolbox that can decode it for you:

https://community.checkpoint.com/t5/Scripts/rfc1751-py/m-p/194975#M1130

Get this Python script, and you can run the inline "openssl s_client" command against your gateway which will get you the correct fingerprint you can verify.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events