This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have one, create one now for free!
TonyStark
Participant
‎2022-05-18 03:50 AM

SSL network extender uses wrong certificate

Hello

We recently changed the SSL Certificates for VPN on our Gateway. We use two certificate. One for internal use only issued by an internal CA and one for external use issued by  EuropeanSSL. Our configuration looks correct on the first glimpse but if we connect to our SNX it shows the internal certificate which it should not use. 

 
 

SSL1.PNGSSL2.PNG

 

SSLVPN-2022 is our EuropeanSSL Certificate the internal one would be InternalCP

Is there any kind of database entry that did not override or did i miss anything?

Thanks in advance for your help

 

0 Kudos
8 Replies
_Val_
Admin
Admin
‎2022-05-19 01:33 AM

Silly question, did you push policy? 

0 Kudos
TonyStark
Participant
‎2022-05-19 01:41 AM
In response to _Val_

Sure! Its running since 2 weeks or so...

0 Kudos
_Val_
Admin
Admin
‎2022-05-19 01:49 AM
In response to TonyStark

Got it. Look into sk177903 and let me know if it fixes things or not.

0 Kudos
TonyStark
Participant
‎2022-05-23 12:42 AM
In response to _Val_

I dont think this is the right solution... The UserCheck Portal should use the internal CA Cert but when we want to access the SNX Web-Page (for example) from the public domain it should use the EuropeanSSL but it does'nt...

SNX Homepage.PNG

This page is accessed via the public domain name so it should use the EuropeanSSL cert but internally it shouldnt

I hope you understand what I mean

0 Kudos
_Val_
Admin
Admin
‎2022-05-23 12:50 AM
In response to TonyStark

UserCheck and SNX are using the same certificate, which is different from VPN certificate. What is the issue for UserCheck to show your EuropeanSSL?

0 Kudos
_Val_
Admin
Admin
‎2022-05-23 12:52 AM
In response to TonyStark

Also, to make sure which certificate is used where, you can look into $FWDIR/database/myself_objects.C file of your Security Gateway

0 Kudos
TonyStark
Participant
‎2022-05-23 02:04 AM
In response to _Val_

Okay so i checked the File....

The UserCheck Portal is running following settings:

: (
:type (portal_settings)
:portal_name (UserCheck)
:ssl_certificate (ReferenceObject
:Uid ("{BE6C0102-E935-4917-8B3E-A81DEE2577D3}")
:Name (cert_9)
:Table (ssl_certificates)
)
:internal_port (8887)
:is_enabled (true)
:priority (1000)
:encrypted_connection (true)
:dmz_internal_interfaces (false)
:portal_access (internal_interfaces)
:is_any_host (false)
:ip_address (w.x.y.z)
:allow_additional_clear_port (false)
:main_url ("https://server.domain.net/UserCheck")
:undefined_internal_interfaces (false)
:certificate_mode (all_with_same_ip)
:is_encrypted (true)
:path_prefix ("/UserCheck")
:hostname (server.domain.com)
:external_port (443)
)

 

It references to the ceretificate cert-9 but in the certificates section there is only the certs EuropeanSSL_Intermediate-2 and internal_ca... could that be related? and am i allowed to add a certificate to the config of the snx portal?

: (
:type (portal_settings)
:portal_name (VPN_SNX)
:internal_port (444)
:is_enabled (true)
:priority (1000)
:encrypted_connection (false)
:dmz_internal_interfaces (false)
:portal_access (all_interfaces)
:is_any_host (false)
:ip_address (0.0.0.0)
:allow_additional_clear_port (false)
:main_url ("https://0.0.0.0/")
:undefined_internal_interfaces (false)
:certificate_mode (all_with_same_ip)
:is_encrypted (true)
:path_prefix ("/")
:hostname (0.0.0.0)
:external_port (443)
)

 

0 Kudos
_Val_
Admin
Admin
‎2022-05-23 02:56 AM
In response to TonyStark

As I said, SNX uses the same infrastructure as UserCheck, so no, you cannot manually assign a different certificate to it by editing the file. 

0 Kudos