Create a Post
superd
Contributor

Checkpoint URLF Block Page Certificate

Hi,

I have enabled Checkpoint URLF with HTTPS Inspection enabled. All is working fine, except I am getting cert trust issues with the block page. (R80.40)

Can anyone advise how I export this block page cert so I can trust it in users browsers? Or if there is some other guidance?

Also, is enabling UserCheck required in order to serve the block page, or is that something different? I have that enabled.

Thanks.

D

0 Kudos
8 Replies
Wolfgang
Mentor
Mentor

You can import  a certificate enrolled from your internal CA to the usercheck page of the gateway properties. Your clients should trust these CA. If you‘re using the default certificate, your clients have to trust your internal Check Point CA of the managementserver. You can export the public certificate from the managementserver.

superd
Contributor

Thanks Wolfgang, is there a simple way to export this certificate from the SMS GUI?

0 Kudos
Sorin_Gogean
Advisor

In addition to what Wolfgang state .... from my notes

 

We require an SSL certificate on the GW's as the page presented with the BLOCK message, is HTTPS and is using the Platform Portal (as it seems) .

 

They say to follow :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

But it’s better to follow :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

(as I've use it previously )

superd
Contributor

Cheers Sorin, seems a bit confaluted. Id like to just extract whatever cert is being currently served for block page. 

0 Kudos
Sorin_Gogean
Advisor

Now I got it, your certificate error is shown to the end-user when he is redirected to the Block page - that is served by the GW Custer .

You can generate a certificate (signed by the same CA that you used to delegate HTTPS Inspection) and import it into the UserCheck .

0 Kudos
superd
Contributor

Yes Sorin, serving of blockpage shows connection error, or client not trusting the cert.

So, for clarification, I must generate a self signed cert to avoid errors? Is there definitely no way to export whatever cert Checkpoint is providing by default?  - I find this surprising.

0 Kudos
Sorin_Gogean
Advisor

For sure you can export it, is the same you get when accessing the UserCheck portal It's not an on-the-fly generated one.

After that you will need to et it on all the clients in trusted certs, therefore my recommendation is to look for a centralized CA/certificate solution, then you just need to trust the Root CA and all the rest will follow.

0 Kudos
superd
Contributor

Could I extrapolate from the below message that one must use a self signed cert to avoid errors i.e. the auto-generated cert is not extractable?

Screenshot 2022-05-06 at 09.03.49.png

0 Kudos