Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alias
Contributor
Jump to solution

Secure Domain Logon - Certificate is badly signed

Hey Mates,

we are using Remote Access VPN with 3rd party CA (Windows PKI) on a 80.20 setup.

When clients try to use the secure logon to connect prior to Windows login, the users get a failed connection with the error message "Certificate is badly signed". As soon, as the windows login is over, the Remote Access login works just fine.

Also, we switched our CA a while ago. This problem only happens with Certificates from the new CA, with certificates from the old ca domain logon works

I dont really understand how to read the "Certificate is badly signed" message

What does this mean? How can it be badly signed and then it is accepted 2 minutes later? Is this a CRL problem?

I would appreciate some input, if anybody had such an issue before

Cheers

 

0 Kudos
1 Solution

Accepted Solutions
AndreiR
Employee
Employee

Hi,

The fix for the "Certificate is badly signed" issue will be available in coming E87.20 (should be GA within few weeks). If for some reason it doesn't help in your specific configuration, please open support case and refer this ID: "ESVPN-3747".

View solution in original post

6 Replies
PhoneBoy
Admin
Admin

Did you import the CA key and all the intermediate certificates into the CA key store on the client?
When you imported the CA key into the gateway, did you also include any intermediate certificates?
At least from a few TAC cases, this seems to be one potential reason for the issue.

Alias
Contributor

Hey Phoneboy,

thank you for your reply

Yes, the CAs are correctly implemented on the clients and the gateway. Just for my own understanding, if it weren't correctly configured, the VPN shouldnt work at all?

I deactived the CRL checking on the gateway as described in sk21156 to see if it is a CRL problem, but it still doesn't work

 

PhoneBoy
Admin
Admin

Would recommend opening a TAC here.

0 Kudos
Alias
Contributor

Hey,

yeah, I am afraid I have to.

I tried a couple of things and I suspect it has to do with another issue I had a while ago with renewing a CA and posted here:

https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-implement-a-renewed-3rd-Party-Issuing-C...

We'll see. Thanks for your help

Cheers

D

 

 

0 Kudos
514numbers
Contributor

We have the same issue but only for a few laptops with 86.60. We have opened a case howerver would like to know if there was a solution.

AndreiR
Employee
Employee

Hi,

The fix for the "Certificate is badly signed" issue will be available in coming E87.20 (should be GA within few weeks). If for some reason it doesn't help in your specific configuration, please open support case and refer this ID: "ESVPN-3747".

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events