Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Contributor

SSL Certificate

Hello,

My main question, how to reach Rating A on ssllabs.com? My certificate chain is broken. And i have no idea how to fix it. 

Actually CheckPoint's SSL certificates are not clear for me.  First of all - three location, first one - IPSec VPN (we can generate CSR with proper SSL Chain - Root/intermediate/Cert itself), second location - Mobile Access/Portal Settings, third - VPN Clients/SAML Portal.

When i  installed self-signed certificate into first location (IPSec VPN) and/or Mobile Access i was getting error. Third location (SAML) i guess not alive anymore. Which one using for Endpoint VPN client? i though Mobile is for Phones and IPSec like for legacy windows VPN clients. Is it right?  

My certificate expired and i have to update it, when i did it first time, two years ago, version 80.30 didnt support wild card certificates, and i generated certificate from IPSec VPN and next used openssl magic for conversion to PFX format and next installed it to Mobile access portal. But i dont remember how i did it, and checkpoint support guy said - its wrong and need two certificates. How it works in this case? for example vpn.contoso.com for IPSec and vpnssl.contoso.com for mobile? i think i will see error

same time i have DR firewall, and i generated one certificate from IPSec VPN, and it works fine, my Endpoint Client ignores Mobile Portal and use right certificate (and it has rating A, because certificate chain is ok). 

Could explain how it works and how to configure it properly?

 

thanks

 

0 Kudos
9 Replies
HeikoAnkenbrand
Champion
Champion

Hi @Sergo89,

Here are some tips and sk's about the certificates.

Mobile Access Certificate


The Security Gateway does not have a server certificate that is signed by a trusted 3rd party. Make sure that the server certificate of the Mobile Access gateway is signed by a trusted 3rd party Certification Authority (for example, EnTrust, VeriSign). The 3rd party certificate must replace the self-signed (ICA) certificate.

Note: if you receive a .pfx file, rename the file extension from .pfx to .p12

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to...

GAIA Portal Certificate


See sk97648:
How to create and set certificate for Gaia Portal
or sk116462 for old firewalls:
How to Install P7b format 3rd-party signed certificate on Gaia Portal without Multiportal feature

Internal CA Certificate


sk158096: How to renew an Internal Certificate Authority (ICA) certificate

VPN Certificate


See R8x.x VPN admin guide chapter PKI:
R81.10 Site to Site VPN Administration Guide - PKI

0 Kudos
Sergo89
Contributor

Thanks Heiko, but what do you mean "server certificate"? IPSec or Mobile, and yes i know how to create mobile certificate, but it will be two different certificates with different names. and which one Endpoint client uses? right now it shows me Mobile certificate (wildcard)

0 Kudos
HeikoAnkenbrand
Champion
Champion

Then I still do not understand your question 100%.

>>> and which one Endpoint client uses?

With the VPN client, it depends on which one you install:
VPN_Client.jpg
Endpoint Security VPN  -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

Check Point Mobile        -> Uses the Mobile Access blade SSL certificate




0 Kudos
Sergo89
Contributor

Its Endpoint VPN, full bundle with AV. 

Endpoint Security VPN  -> Uses the internal CA certificate (ICA) and before E80.60 + lower R80.20 the gateway certificate.

its mean - IPSec VPN cert? 

0 Kudos
HeikoAnkenbrand
Champion
Champion

>>> Its Endpoint VPN, full bundle with AV.
For AV scanning you need an additional endpoint server and the managed client sk166428:
Managed_Client.jpg

>>> its mean - IPSec VPN cert? 
Yes - IPSec VPN uses the internal certificate (ICA) for "Endpoint Security VPN" client.

0 Kudos
Sergo89
Contributor

Thanks Heiko,

how to choose which type of VPN we will be using? Full Endpoint Version doesnt have options (Mobile is different story). Do i have to create two different SSL certificates for IPSec VPN and SSL VPN?

0 Kudos
Sergo89
Contributor

Oh! what 0 have found in the manual:

  1. Install the Access Policy on the gateway.

    Note - The Repository of Certificates on the IPsec VPN page of the gateway object is only for self-signed certificates. It does not affect the certificate installed manually using this procedure.

0 Kudos
Sergo89
Contributor

0 Kudos
Sergo89
Contributor

Heiko,

is it possible to find somewhere Private Key when we generate certificate from GUI (IPSec VPN)?

0 Kudos