Solved: Check Point RA VPN : force the use of a specific u...

AntoineDelrue · ‎2020-09-28

Hi,

Recently, we enabled the user certificate authentication method, as long with username & password. The user certificates are pushed by the Active Directory via GPO, and come from the ADCS role within our network.

This is working fine, the username field is populated automatically in Check Point Endpoint Security, and it validates the user's certificate alright.

However, some of our users have several certificates in their user store. We need to find a way to force the VPN client to use a specific certificate, based on specific criteria (regex, or else).

I found no resource on how to control which certificate is being used by the client. It seems to picks it up automatically.

Anybody have an idea on how we can achieve our goal ?

Thanks in advance.

Regards,

Antoine.

Henkpoa

Since this post is shown up on google as first result, I want to give an update.

It is possible to filter certificates now, see: https://support.checkpoint.com/results/sk/sk169453

We have made it so only one certificate is visible, which lessens the confusion the users have if they ever get into the "connect to" screen where they have to choose a user certificate.

View solution in original post

PhoneBoy · ‎2020-09-30

Are you doing a user certificate or a machine certificate?
I know in the case of a machine certificate, we automatically choose one, I believe based on latest expiration date.
In that case, there is no mechanism to choose a different certificate.

AntoineDelrue · ‎2020-10-01

Hi,

Thanks for your comment. We are only using user certificates, not machine certs.

The certificates we want to choose come from internal ADCS CA.

Thanks in advance.

AndreiR · ‎2020-10-01

Hi @AntoineDelrue ,

Assuming you use Check Point VPN client for Windows desktop.

At this moment VPN client does not provide capability to pre-define which certificate to use from CAPI store. But in the next release which is expected in October we are introducing a new feature which exactly fits you needs. Administrator will be able to define criteria to filter certificates which client display as available for user authentication. You will be able to specify, for example, pattern of DN or Extended Key Usage or Certificate Template and the client will display only those certificates which match your criteria.

Watch for updates of Endpoint Security Homepage:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Ob1lan · ‎2020-10-15

Hi @AndreiR ,

Thanks, I'll be looking forward this new release ! Once it's tested and confirmed it works as expected, I'll close this topic.

Regards,

Antoine

Ob1lan · ‎2020-10-28

Hi @AndreiR ,

Client E84.00 released a couple of days ago. I checked, and couldn't find any where that option to define how the cert will be chosen.

In the release note, only new feature listed is newer version of Windows 10 supported.

Could you please tell me how I can define how the VPN client might select the user cert ?

Thanks in advance.

Regards

Ob1lan · ‎2020-12-09

Hi @AndreiR ,

Any news regarding the option to force the client to select a certificate based on a given pattern ? I don't find this option in R84.0.

Thanks in advance.

Regards,

Antoine

MattElkington · ‎2022-10-04

Hi Andrei,

Did this update ever occur? Is there a solution for pre-selecting CAPI certs?

I have search through the Endpoint Security Homepage for any mention of CAPI and there seems to be nothing new in regards to it.

Thanks

Norbert_Bohusch · ‎2020-10-15

If the certificate in CAPI has a DN which can be distinguished from others, you can do the following, by script started through GPO or similar (here with a PowerShell example).

With this procedure it selects the string based on your pattern and connects. As the VPN client saves the last successfully used certificate for the next connect, afterwards you don't have to select it manually.

Here the parts of the script:

1. Get the list of certificates available to Check Point Client and select the right certificate by pattern:

cd C:\Program Files (x86)\CheckPoint\Endpoint Security\Endpoint Connect

$myvar=.\trac.exe list |Select-String -Pattern xyz

2. Fetch the DN String from this Output:

$dnstring = $myvar.ToString().Trim()

3. Connect to the Site using the DN and disconnect afterwards:

.\trac.exe connect -s "<sitename>" -d $dnstring

.\trac.exe disconnect

Henkpoa · ‎2025-01-13

Hello!

Appreciate the solution!

But I feel this should be a built in solution since long.

In Cisco AnyConnect since many years back, you could easily define a REGEX match under its VPN profile to select a certificate properly.

Does anyone know if there is a solution in place now, after 4 years, or if this is still the solution to use?

Henkpoa

Since this post is shown up on google as first result, I want to give an update.

It is possible to filter certificates now, see: https://support.checkpoint.com/results/sk/sk169453

We have made it so only one certificate is visible, which lessens the confusion the users have if they ever get into the "connect to" screen where they have to choose a user certificate.

PhoneBoy

I had asked someone in R&D about this a while ago and they said it was an RFE.
Nice to see there is a way to do it now.

Check Point RA VPN : force the use of a specific user certificate in Windows Store

Check Point RA VPN : force the use of a specific user certificate in Windows Store

Are you a member of CheckMates?

Check Point RA VPN : force the use of a specific user certificate in Windows Store

Check Point RA VPN : force the use of a specific user certificate in Windows Store