Thank's for the response.
But I have to admit that it does not make sense for me, we have to renew our certificate every 12 months, this means that the user will be prompted with this once a year.
If a malicious actor would've replace the certificate for a mitm attack the users will already be learned up to click yes and continue their work.

Maybe others can confirm 100%, but I am pretty certain it is expected behavior. I do agree with you, thats very true what you said, but at the same time, while its absolutely true that literally no end user will even pay attention to that message, its there for a reason and thats to make sure fingerprint matches with whats on gateway side.

I understand, but what does not make sense is that the users that were logged in during the renewal was not prompted with this message.

I believe thats expected as well...while users are logged in, they would not see that pop-up.

Really seems like there is no way around this then... I guess we will have to warn our users once a year that this will appear.

Dont give up yet...there might be a way around it. lets see if someone might have an idea.

Thanks!

But from my point of view this seems like and incredible task?

As soon as you change the registry, the client will have wrong finger print for the current certificate.
You dont know the fingerprint for the new cert until you change it in management.
This means that all clients have to be online between cert change and policy push, so that you can push the registry setting.
If not the clients that were offline will not get the registry change and will be prompted either way.

So I think we still would have the same issue with this, at least to some extent.

Maybe someone from R&D sees this post and replies, because you do bring up a very good point. I agree with you 100%.

Thanks, lets hope so!

End users should be able to verify the fingerprint visible within that pop-up. IT admins should be able to provide it to all users in order to confirm that they are really connecting to the correct gateway with correct fingerprint.

You can somehow try to open some web page (internal over intranet) where all fingerprints will be stored for comparison.

Or store all fingerprints on user's desktop, as text file, and replace it everytime you change the certificate or fingerprint is changed for whatever reason.

Seems like a poor user experience especially given that our user base consist of production workers with next to none IT competence, would be a rough job for our servicedesk.

Thanks!

Br

Did some more testing on this now, seems like you can just delete the "accepted_cn" key. It does not give you the prompt whenever it does not have a finger print already stored.

Seems like the vpn client does not care about the certificate being verified by trusted CA or not.
Tested by deleting the entrust root and intermediate ca from the trust store on the machine and the client did not care.

With this to our knowledge we could evne discuss that it would be better security to have self-signed certificate with 100 year expiration time, so that we don't learn our users to click okey on certificate errors.
But as long as the address is available from the internet we of course want an officially signed cert.

Not trying to be difficult, but I find it weird that such a big vendor does not have a solution for this 🙂

Br

I dont think you are difficult at all. I agree with you 100%. Though, I will say this...yes, it might be difficult for users, BUT, Check Point is security company, so better safe than sorry, right?

Good to hear. Yeah I agree, and that's why I find it weird that the Check Point vpn client does not care about trusted CA, only the fingerprint.

No argument there my friend. If I were you, personally, I would definitely get an official TAC case, so that way users can get vendor's answer as well.

Received a reply from TAC today:

"My name is Gil, I will be assisting you throughout this ticket.

I've noticed that sk66263 was already suggested to Jorgen at the CheckMates thread.
That is indeed the answer I would have given out as well.

As for the fact that the client cares about fingerprint only - that is true but only after the client has saved its first fingerprint to the registry.
But at the very first connection by the client when it is first installed, the registry is empty, and then it does consider factors such as Subject and Issuer.

The whole point of the fingerprint being stored at the registry is so that the client will "remember" the decision to trust that certificate and won't keep pestering the user to approve the cert again or not.

From that point, if a new certificate is presented to the client, it will NOT trust the certificate regardless if all its fields are legit - and the reason will be that the fingerprint is different than what it "remembers".


Now about distributing the fingerprints via GPO - even if users are offline, is it not possible to "queue" the push until they are online?

Remember that indeed you will know what fingerprint to push after you renew the certificate in the MGMT server, but it won't actually be replaced until the policy is pushed, giving you some time to prepare.

Additionally, once you have the new fingerprint in hand, the employees can be updated via email that should they see the "trust" message with the mentioned fingerprint, it's fine to approve it.


Hope this helps a little!
Please let me know if you have further questions.

BR,
Gil Fridman"

From my expirience (its a little aged), I can tell you that you will get this prompt green instead of red, when the certificate is valid (matches the FQDN of the site e.g) and the cert chain is trusted by Client OS.

But you will get the prompt.

You were wondering, why you did not get the prompt again after deleting the trust fingerprint from the registry key mentioned in sk66263. I think this is because the trust is also written to trac.conf. Deobfuscate this file (I guess you know how) and you will find something like this in it:

<PARAM ccc_fingerprint="KING MOST FIVE CLOG LOP TONY LENT CAKE MAC RECK ROY GLUM"></PARAM>

This is the RfC#1751 encoded representation of the SHA-1 fingerprint of the Root-CA of the certificate used for this portal (platform portal for legacy IP-Sec-VPN blade only, Mobile Access Blade Portal for MOB). Please verify this. Sometimes, it seems to be the fingerprint from intermediate instead of root CA.
If this fingerprint changes, there is popup for your users. This means renewals of portal cert do not trigger popups for users, when the CA cert keeps the same. Of course, also CA cert expires eventually. This reduces your problem a little.

<PARAM internal_ca_fingerprint="TELL ACE RUB SANK JUNK ARE ROOT LEO ANA VOID POD MOVE"></PARAM>

This is the RfC#1751 encoded representation of the SHA-1 fingerprint of the certificate configured in SmartConsole -> IPSec-VPN .
Changing this cert does not seem to trigger a user popup. Warning: This expirience was from an environment without MOB, only Legacy IPSec-VPN blade for Remote Access with Endpoint Security VPN client.

Hi,

Getting a green prompt would atleast be much better, the cert we're using has full cert-chain and is fqdn and root ca from entrust is in the trust store on the client so I would assume that the cert is ship shape.

But your input is very valuable, if you could add the fingerprint of the intermediate CA instead, that would be a huge mitigation in consideration of the prompt.

Br

Very logical point!!

Is it same if you delete and re-create the site?

Andy

I assume it depends on the reason the certificate is untrusted.
Click “details” and see what it says (and translate to English).