Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_Butler
Collaborator

SNX Mobile Access SSL VPN - Can you install a wildcard certificate?

My firm has a DigiCert wildcard certificate which we purchased to cover a number of purposes for our single site needs, but the most important of these are:

  1. On Premise Exchange 2010
  2. Check Point VPN (Mobile Access SNX)

When I was doing the research for what certificate type to buy rather than a UCC style cert (UCC gets you get 4 Subject Alternate Names for a set price and add on cost per additional SAN)

When I realized that the Digicert Wildcard cert allowed you to not only have unlimited hosts at the hierarchical level of the wildcard itself:

It is pretty straightforward that a wildcard CN of "*.contoso.com" covers:

  • contoso.com
  • mail.contoso.com
  • autodiscover.contoso.com
  • vpn.contoso.com
  • and so on

But you can also request blocks of 10 fully qualified Subject Alternate Names at any hierarchical level deeper than that

  • idrac-server1.corp.contoso.com
  • xeroxprinter1.corp.contoso.com
  • networkswitch2.newyork.corp.contoso.com
  • etc etc....

This proved to be economically a home run for us, as we had a number of devices that require legitimate certificates in order to have their management GUIs not be a total pain in the keister. (I did not want to bother with setting up an AD managed CA and use GPO to push the certs to the browsers, blah blah blah)

Anyhoo,

The question is, if our current SNX vpn fully qualified hostname is vpn.contoso.com and currently a  SAN from our (soon to expire) UCC cert is working fine with it, will a wildcard cert with a CN of *.contoso.com work with it?

Also, how do I generate the CSR properly?

Do I need to request the duplicate certificate with vpn.contoso.com in the list of SANs? does that even matter in this case?

Thanks all!

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

I know there are issues with our regular (non SNX) VPN client using a wildcard:

Changing Checkpoint Mobile Desktop Client wildcard Hostname

That said, I think if you put the FDQN as part of the SAN, it should work. 

0 Kudos
Chris_Butler
Collaborator

Hi Dameon,

I worked with TAC first, they pointed me to an SK which was ok, but it took getting on the phone with DigiCert after that to determine what the nomenclature that both sides used really meant.

In the end, I think I have worked out a very direct method of installing a DigiCert Wildcard and having it work with SNX, including what the end users should expect to see once the change propagates.

I will write that up later this week and post it here as an answer. (screenshots etc included) if you think it is succinct enough and helpful enough, and you think there is another place in CheckMates I should post it for more people to see, let me know.

Chris.

0 Kudos
PhoneBoy
Admin
Admin

It'd be great if you could share it here, either as a response to this post or as a new post in the Remote Access‌ space.

0 Kudos
atheio
Explorer

Was this ever posted as a write-up? I find myself in a similar situation and the link posted doesn't work.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events