This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Benjamin133030
Explorer
yesterday

IPSec VPN - Multiple level chain of trust certificate

Hello,
I’m looking to set up a VPN tunnel using certificate-based authentication, and I have a question regarding how to implement a multi-level trust chain on an SMS (R81-20).
Currently, each party shares its public certificate chain for authentication. For a two-level structure (Root CA > Sub CA), the Root CA certificate is registered in the SMS as a Trusted CA, and the Sub CA certificate is registered as a Subordinate CA:

Trusted Root CA > Subordinate Sub CA

However, what is the correct process when there is a third level or more (e.g., Root CA > Sub CA > Sub-Sub CA)?
Registering both the Sub CA and Sub-Sub CA as subordinate CAs in the SMS leads to incorrect interpretation:

Trusted Root CA > Subordinate Sub CA
Trusted Root CA > Subordinate Sub-Sub CA

Alternatively, registering the Sub CA as both a Trusted CA and a Subordinate CA results in this interpretation:

Trusted Root CA > Nothing
Trusted Sub CA > Subordinate Sub CA
Trusted Sub CA > Subordinate Sub-Sub CA

In both cases, the SMS does not correctly interpret the full chain as:

Root CA certifies for Sub CA which certifies for Sub-Sub CA

Would you have a clue on the correct procedure for configuring a multi-level certificate trust chain in the SMS?
Thank you in advance.

Labels
3 Replies
_Val_
Admin
Admin
yesterday

Did you try setting the root CA as well?

0 Kudos
Benjamin133030
Explorer
yesterday
In response to _Val_

Yes, for both tests, the root CA was registered as Trusted CA on the SMS.

Test 1: We have Root CA as Trusted CA, Sub CA and Sub-Sub CA registered as Subordinate.

Test 2: We have Root CA as Trusted CA, Sub CA both as Trusted CA and Subordinate CA and Sub-Sub CA only registered as Subordinate

Below is how the trust chain is perceived by the SMS afterward:

Test 1:
Trusted Root CA > Subordinate Sub CA
Trusted Root CA > Subordinate Sub-Sub CA

Test 2:
Trusted Root CA > Nothing
Trusted Sub CA > Subordinate Sub CA
Trusted Sub CA > Subordinate Sub-Sub CA

> : is Trusted CA for (chosen automatically by the SMS)

 

0 Kudos
PhoneBoy
Admin
Admin
yesterday

If it's not a Root CA you're importing, you should put the entire certificate chain in there (root and all subordinates).
This applies if it's a Sub Sub CA as well, as far as I know.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events