This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alias
Contributor
‎2021-07-22 10:49 PM
Jump to solution

Secure Domain Logon - Certificate is badly signed

Hey Mates,

we are using Remote Access VPN with 3rd party CA (Windows PKI) on a 80.20 setup.

When clients try to use the secure logon to connect prior to Windows login, the users get a failed connection with the error message "Certificate is badly signed". As soon, as the windows login is over, the Remote Access login works just fine.

Also, we switched our CA a while ago. This problem only happens with Certificates from the new CA, with certificates from the old ca domain logon works

I dont really understand how to read the "Certificate is badly signed" message

What does this mean? How can it be badly signed and then it is accepted 2 minutes later? Is this a CRL problem?

I would appreciate some input, if anybody had such an issue before

Cheers

 

0 Kudos
1 Solution

Accepted Solutions
AndreiR
Employee Alumnus
Employee Alumnus
‎2023-02-23 01:36 AM
In response to 514numbers
Jump to solution

Hi,

The fix for the "Certificate is badly signed" issue will be available in coming E87.20 (should be GA within few weeks). If for some reason it doesn't help in your specific configuration, please open support case and refer this ID: "ESVPN-3747".

View solution in original post

6 Replies
PhoneBoy
Admin
Admin
‎2021-07-23 12:10 AM
Jump to solution

Did you import the CA key and all the intermediate certificates into the CA key store on the client?
When you imported the CA key into the gateway, did you also include any intermediate certificates?
At least from a few TAC cases, this seems to be one potential reason for the issue.

Alias
Contributor
‎2021-07-23 01:10 AM
In response to PhoneBoy
Jump to solution

Hey Phoneboy,

thank you for your reply

Yes, the CAs are correctly implemented on the clients and the gateway. Just for my own understanding, if it weren't correctly configured, the VPN shouldnt work at all?

I deactived the CRL checking on the gateway as described in sk21156 to see if it is a CRL problem, but it still doesn't work

 

PhoneBoy
Admin
Admin
‎2021-07-23 08:45 AM
In response to Alias
Jump to solution

Would recommend opening a TAC here.

0 Kudos
Alias
Contributor
‎2021-07-26 05:33 AM
In response to PhoneBoy
Jump to solution

Hey,

yeah, I am afraid I have to.

I tried a couple of things and I suspect it has to do with another issue I had a while ago with renewing a CA and posted here:

https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-implement-a-renewed-3rd-Party-Issuing-C...

We'll see. Thanks for your help

Cheers

D

 

 

0 Kudos
514numbers
Contributor
‎2022-11-01 10:45 AM
In response to Alias
Jump to solution

We have the same issue but only for a few laptops with 86.60. We have opened a case howerver would like to know if there was a solution.

AndreiR
Employee Alumnus
Employee Alumnus
‎2023-02-23 01:36 AM
In response to 514numbers
Jump to solution

Hi,

The fix for the "Certificate is badly signed" issue will be available in coming E87.20 (should be GA within few weeks). If for some reason it doesn't help in your specific configuration, please open support case and refer this ID: "ESVPN-3747".

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events