This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2025-04-11 12:33 PM
Jump to solution

Identity Collector and Gateway certificates - which one?

A question to which I think I know the answer, but thought I'd see if anyone knows of an "official answer".  We use Identity Collectors in our various environments: production, lab, etc. In our lab. the certificate used by the Identity Collector to validate the gateway is the platform portal certificate, issued by our internal Windows CA. Our lab gateways also have an IPSec certificate, issued by our SMS.

In our production environment, the certificate used by the Identity Collector to validate the gateway is the IPSec certificate, issued by our SMS. These gateways do not have a platform portal certificate.

So my question is - where a gateway has a certificate for the platform portal and for IPSec VPN, does the Identity Collector default to the platform portal? Or is there a way to choose what it uses?

Dave 

0 Kudos
1 Solution

Accepted Solutions
CheckPointerXL
Advisor
Advisor
‎2025-04-14 03:43 AM
Jump to solution

yuo can control which certificate IDC uses.

example: you can associate your Certificate signed by your CA to user check portal

the user check portal will be associate to an ip ad an fqdn to make certificate working... so simply configure usercheck ip to IDC and your own certificate will be prompted to be trusted

 

that ip/fqdn/certificate association needs to be unique on FW to avoid overlapping with other portals

i have environment with usercheck and captive portal associated to same ip, fqdn and certificate... from idc i configure IP of them

View solution in original post

3 Replies
CheckPointerXL
Advisor
Advisor
‎2025-04-14 03:43 AM
Jump to solution

yuo can control which certificate IDC uses.

example: you can associate your Certificate signed by your CA to user check portal

the user check portal will be associate to an ip ad an fqdn to make certificate working... so simply configure usercheck ip to IDC and your own certificate will be prompted to be trusted

 

that ip/fqdn/certificate association needs to be unique on FW to avoid overlapping with other portals

i have environment with usercheck and captive portal associated to same ip, fqdn and certificate... from idc i configure IP of them

David_C1
Advisor
‎2025-04-14 06:12 AM
In response to CheckPointerXL
Jump to solution

Thanks for this information. Your explanation makes sense, but it does not match my configuration. I have cert assigned to my captive portal (and same cert assigned to my platform portal) with an IP of 10.1.1.1. This cert has a number of Subject Alternate Names, both DNS entries and IP addresses. The IP address I used in the IDC configuration to establish connection with this cluster is neither 10.1.1.1 nor any of the SAN entries - it is a different interface on the firewall (the interface for the network that the IDC is on). When I look at the Certificate Info on the gateway config on the IDC, it is using the usercheck/platform portal cert, but again the IP address used to configure the gateway is not 10.1.1.1 nor any of the addresses listed as a Subject Alternate Name.

Still a bit stumped.

Dave

0 Kudos
the_rock
Legend
Legend
‎2025-04-14 04:58 AM
Jump to solution

@CheckPointerXL explained it perfectly.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events