This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sergo89
Collaborator
‎2022-02-08 10:14 AM

SSL Certificate

Hello,

My main question, how to reach Rating A on ssllabs.com? My certificate chain is broken. And i have no idea how to fix it. 

Actually CheckPoint's SSL certificates are not clear for me.  First of all - three location, first one - IPSec VPN (we can generate CSR with proper SSL Chain - Root/intermediate/Cert itself), second location - Mobile Access/Portal Settings, third - VPN Clients/SAML Portal.

When i  installed self-signed certificate into first location (IPSec VPN) and/or Mobile Access i was getting error. Third location (SAML) i guess not alive anymore. Which one using for Endpoint VPN client? i though Mobile is for Phones and IPSec like for legacy windows VPN clients. Is it right?  

My certificate expired and i have to update it, when i did it first time, two years ago, version 80.30 didnt support wild card certificates, and i generated certificate from IPSec VPN and next used openssl magic for conversion to PFX format and next installed it to Mobile access portal. But i dont remember how i did it, and checkpoint support guy said - its wrong and need two certificates. How it works in this case? for example vpn.contoso.com for IPSec and vpnssl.contoso.com for mobile? i think i will see error

same time i have DR firewall, and i generated one certificate from IPSec VPN, and it works fine, my Endpoint Client ignores Mobile Portal and use right certificate (and it has rating A, because certificate chain is ok). 

Could explain how it works and how to configure it properly?

 

thanks

 

0 Kudos
9 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2022-02-08 10:45 AM

Hi @Sergo89,

Here are some tips and sk's about the certificates.

Mobile Access Certificate


The Security Gateway does not have a server certificate that is signed by a trusted 3rd party. Make sure that the server certificate of the Mobile Access gateway is signed by a trusted 3rd party Certification Authority (for example, EnTrust, VeriSign). The 3rd party certificate must replace the self-signed (ICA) certificate.

Note: if you receive a .pfx file, rename the file extension from .pfx to .p12

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to...

GAIA Portal Certificate


See sk97648:
How to create and set certificate for Gaia Portal
or sk116462 for old firewalls:
How to Install P7b format 3rd-party signed certificate on Gaia Portal without Multiportal feature

Internal CA Certificate


sk158096: How to renew an Internal Certificate Authority (ICA) certificate

VPN Certificate


See R8x.x VPN admin guide chapter PKI:
R81.10 Site to Site VPN Administration Guide - PKI

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sergo89
Collaborator
‎2022-02-08 10:57 AM
In response to HeikoAnkenbrand

Thanks Heiko, but what do you mean "server certificate"? IPSec or Mobile, and yes i know how to create mobile certificate, but it will be two different certificates with different names. and which one Endpoint client uses? right now it shows me Mobile certificate (wildcard)

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2022-02-08 11:38 AM
In response to Sergo89

Then I still do not understand your question 100%.

>>> and which one Endpoint client uses?

With the VPN client, it depends on which one you install:
VPN_Client.jpg
Endpoint Security VPN  -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

Check Point Mobile        -> Uses the Mobile Access blade SSL certificate




➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sergo89
Collaborator
‎2022-02-08 12:08 PM
In response to HeikoAnkenbrand

Its Endpoint VPN, full bundle with AV. 

Endpoint Security VPN  -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

its mean - IPSec VPN cert? 

0 Kudos
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2022-02-09 12:18 AM
In response to Sergo89

>>> Its Endpoint VPN, full bundle with AV.
For AV scanning you need an additional endpoint server and the managed client sk166428:
Managed_Client.jpg

>>> its mean - IPSec VPN cert? 
Yes - IPSec VPN uses the internal certificate (ICA) for "Endpoint Security VPN" client.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Sergo89
Collaborator
‎2022-02-09 12:42 PM
In response to HeikoAnkenbrand

Thanks Heiko,

how to choose which type of VPN we will be using? Full Endpoint Version doesnt have options (Mobile is different story). Do i have to create two different SSL certificates for IPSec VPN and SSL VPN?

0 Kudos
Sergo89
Collaborator
‎2022-02-09 12:44 PM
In response to Sergo89

Oh! what 0 have found in the manual:

  1. Install the Access Policy on the gateway.

    Note - The Repository of Certificates on the IPsec VPN page of the gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.

0 Kudos
Sergo89
Collaborator
‎2022-02-09 12:48 PM
In response to Sergo89

its from here:

https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_MobileAccess_AdminGuide/html...

0 Kudos
Sergo89
Collaborator
‎2022-02-09 04:23 PM
In response to Sergo89

Heiko,

is it possible to find somewhere Private Key when we generate certificate from GUI (IPSec VPN)?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events