Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Collaborator

SSL Certificate

Hello,

My main question, how to reach Rating A on ssllabs.com? My certificate chain is broken. And i have no idea how to fix it. 

Actually CheckPoint's SSL certificates are not clear for me.  First of all - three location, first one - IPSec VPN (we can generate CSR with proper SSL Chain - Root/intermediate/Cert itself), second location - Mobile Access/Portal Settings, third - VPN Clients/SAML Portal.

When i  installed self-signed certificate into first location (IPSec VPN) and/or Mobile Access i was getting error. Third location (SAML) i guess not alive anymore. Which one using for Endpoint VPN client? i though Mobile is for Phones and IPSec like for legacy windows VPN clients. Is it right?  

My certificate expired and i have to update it, when i did it first time, two years ago, version 80.30 didnt support wild card certificates, and i generated certificate from IPSec VPN and next used openssl magic for conversion to PFX format and next installed it to Mobile access portal. But i dont remember how i did it, and checkpoint support guy said - its wrong and need two certificates. How it works in this case? for example vpn.contoso.com for IPSec and vpnssl.contoso.com for mobile? i think i will see error

same time i have DR firewall, and i generated one certificate from IPSec VPN, and it works fine, my Endpoint Client ignores Mobile Portal and use right certificate (and it has rating A, because certificate chain is ok). 

Could explain how it works and how to configure it properly?

 

thanks

 

0 Kudos
9 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Sergo89,

Here are some tips and sk's about the certificates.

Mobile Access Certificate


The Security Gateway does not have a server certificate that is signed by a trusted 3rd party. Make sure that the server certificate of the Mobile Access gateway is signed by a trusted 3rd party Certification Authority (for example, EnTrust, VeriSign). The 3rd party certificate must replace the self-signed (ICA) certificate.

Note: if you receive a .pfx file, rename the file extension from .pfx to .p12

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to...

GAIA Portal Certificate


See sk97648:
How to create and set certificate for Gaia Portal
or sk116462 for old firewalls:
How to Install P7b format 3rd-party signed certificate on Gaia Portal without Multiportal feature

Internal CA Certificate


sk158096: How to renew an Internal Certificate Authority (ICA) certificate

VPN Certificate


See R8x.x VPN admin guide chapter PKI:
R81.10 Site to Site VPN Administration Guide - PKI

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sergo89
Collaborator

Thanks Heiko, but what do you mean "server certificate"? IPSec or Mobile, and yes i know how to create mobile certificate, but it will be two different certificates with different names. and which one Endpoint client uses? right now it shows me Mobile certificate (wildcard)

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Then I still do not understand your question 100%.

>>> and which one Endpoint client uses?

With the VPN client, it depends on which one you install:
VPN_Client.jpg
Endpoint Security VPN  -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

Check Point Mobile        -> Uses the Mobile Access blade SSL certificate




➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sergo89
Collaborator

Its Endpoint VPN, full bundle with AV. 

Endpoint Security VPN  -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

its mean - IPSec VPN cert? 

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

>>> Its Endpoint VPN, full bundle with AV.
For AV scanning you need an additional endpoint server and the managed client sk166428:
Managed_Client.jpg

>>> its mean - IPSec VPN cert? 
Yes - IPSec VPN uses the internal certificate (ICA) for "Endpoint Security VPN" client.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sergo89
Collaborator

Thanks Heiko,

how to choose which type of VPN we will be using? Full Endpoint Version doesnt have options (Mobile is different story). Do i have to create two different SSL certificates for IPSec VPN and SSL VPN?

0 Kudos
Sergo89
Collaborator

Oh! what 0 have found in the manual:

  1. Install the Access Policy on the gateway.

    Note - The Repository of Certificates on the IPsec VPN page of the gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.

0 Kudos
Sergo89
Collaborator

0 Kudos
Sergo89
Collaborator

Heiko,

is it possible to find somewhere Private Key when we generate certificate from GUI (IPSec VPN)?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events