This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Georgi_Lyaskov
Participant
‎2018-04-26 07:07 AM

Replace Internal CA - SSL Inspection with own certificate.

Hello Checkmates,

I'm testing the SSL Inspection on Checkpoint 790 with R77.20.75 firmware. With the dafault internal certificate it works as described in the instructions. 

According to the sk121214, I can use my own certificate by replacing the internal CA.

I'm trying to use one issued by our Private PKI server. I can preview the certificate, but when I apply, the firewall appliance load it, but with error: Invalid certificate file.

As a result also the VPN service is affected, and my only option to recover is to Reinitialize Certificates.

What are the specific requirements for the replacing certificate, in addition to that it should be .p12 or .pfx?

4 Replies
PhoneBoy
Admin
Admin
‎2018-04-26 09:33 AM

Can you confirm your private PKI server is issuing a certificate authority key?

If it's not a CA key, it will not be considered valid.

You may also need to provide the entire certificate chain to the root CA so the gateway can validated the certificate.

This is because HTTPS Inspection generates certificates on the fly based on the CA key (either the one you provide or the one internally generated).

0 Kudos
Georgi_Lyaskov
Participant
‎2018-04-27 12:45 AM
In response to PhoneBoy

No it wasn't. I've missed that explanation Smiley Happy. Now I understand that the Checkpoint should act as a sub issuing CA in our enterprise PKI.

It would be easier, if the firewall can create a request file for a subordinate CA certificate, as it will contain the required attributes. I assume the subject field can be anything and should have the following key usages KEY_CERT_SIGN_KEY_USAGE  CERT_DIGITAL_SIGNATURE_KEY_USAGE.  

Is the checkpoint also going to create a new certificate for the VPN, based on the uploaded valid sub CA cert?

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2018-04-27 02:05 AM
In response to Georgi_Lyaskov

No, a new certificate for the VPN is only created if you trigger that.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2018-04-27 12:51 PM
In response to Georgi_Lyaskov

That sounds right to me.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events