This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chris_Butler
Collaborator
‎2018-10-24 09:59 AM

SNX Mobile Access SSL VPN - Can you install a wildcard certificate?

My firm has a DigiCert wildcard certificate which we purchased to cover a number of purposes for our single site needs, but the most important of these are:

  1. On Premise Exchange 2010
  2. Check Point VPN (Mobile Access SNX)

When I was doing the research for what certificate type to buy rather than a UCC style cert (UCC gets you get 4 Subject Alternate Names for a set price and add on cost per additional SAN)

When I realized that the Digicert Wildcard cert allowed you to not only have unlimited hosts at the hierarchical level of the wildcard itself:

It is pretty straightforward that a wildcard CN of "*.contoso.com" covers:

  • contoso.com
  • mail.contoso.com
  • autodiscover.contoso.com
  • vpn.contoso.com
  • and so on

But you can also request blocks of 10 fully qualified Subject Alternate Names at any hierarchical level deeper than that

  • idrac-server1.corp.contoso.com
  • xeroxprinter1.corp.contoso.com
  • networkswitch2.newyork.corp.contoso.com
  • etc etc....

This proved to be economically a home run for us, as we had a number of devices that require legitimate certificates in order to have their management GUIs not be a total pain in the keister. (I did not want to bother with setting up an AD managed CA and use GPO to push the certs to the browsers, blah blah blah)

Anyhoo,

The question is, if our current SNX vpn fully qualified hostname is vpn.contoso.com and currently a  SAN from our (soon to expire) UCC cert is working fine with it, will a wildcard cert with a CN of *.contoso.com work with it?

Also, how do I generate the CSR properly?

Do I need to request the duplicate certificate with vpn.contoso.com in the list of SANs? does that even matter in this case?

Thanks all!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2018-10-26 04:10 PM

I know there are issues with our regular (non SNX) VPN client using a wildcard:

Changing Checkpoint Mobile Desktop Client wildcard Hostname

That said, I think if you put the FDQN as part of the SAN, it should work. 

0 Kudos
Chris_Butler
Collaborator
‎2018-11-08 06:44 AM
In response to PhoneBoy

Hi Dameon,

I worked with TAC first, they pointed me to an SK which was ok, but it took getting on the phone with DigiCert after that to determine what the nomenclature that both sides used really meant.

In the end, I think I have worked out a very direct method of installing a DigiCert Wildcard and having it work with SNX, including what the end users should expect to see once the change propagates.

I will write that up later this week and post it here as an answer. (screenshots etc included) if you think it is succinct enough and helpful enough, and you think there is another place in CheckMates I should post it for more people to see, let me know.

Chris.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-11-08 07:07 AM
In response to Chris_Butler

It'd be great if you could share it here, either as a response to this post or as a new post in the Remote Access‌ space.

0 Kudos
atheio
Explorer
‎2019-07-30 05:39 AM
In response to PhoneBoy

Was this ever posted as a write-up? I find myself in a similar situation and the link posted doesn't work.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events