cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Replace Internal CA - SSL Inspection with own certificate.

Hello Checkmates,

I'm testing the SSL Inspection on Checkpoint 790 with R77.20.75 firmware. With the dafault internal certificate it works as described in the instructions. 

According to the sk121214, I can use my own certificate by replacing the internal CA.

I'm trying to use one issued by our Private PKI server. I can preview the certificate, but when I apply, the firewall appliance load it, but with error: Invalid certificate file.

As a result also the VPN service is affected, and my only option to recover is to Reinitialize Certificates.

What are the specific requirements for the replacing certificate, in addition to that it should be .p12 or .pfx?

4 Replies
Admin
Admin

Re: Replace Internal CA - SSL Inspection with own certificate.

Can you confirm your private PKI server is issuing a certificate authority key?

If it's not a CA key, it will not be considered valid.

You may also need to provide the entire certificate chain to the root CA so the gateway can validated the certificate.

This is because HTTPS Inspection generates certificates on the fly based on the CA key (either the one you provide or the one internally generated).

0 Kudos

Re: Replace Internal CA - SSL Inspection with own certificate.

No it wasn't. I've missed that explanation Smiley Happy. Now I understand that the Checkpoint should act as a sub issuing CA in our enterprise PKI.

It would be easier, if the firewall can create a request file for a subordinate CA certificate, as it will contain the required attributes. I assume the subject field can be anything and should have the following key usages KEY_CERT_SIGN_KEY_USAGE  CERT_DIGITAL_SIGNATURE_KEY_USAGE.  

Is the checkpoint also going to create a new certificate for the VPN, based on the uploaded valid sub CA cert?

 

 

0 Kudos

Re: Replace Internal CA - SSL Inspection with own certificate.

No, a new certificate for the VPN is only created if you trigger that.

0 Kudos
Admin
Admin

Re: Replace Internal CA - SSL Inspection with own certificate.

That sounds right to me.

0 Kudos