This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LazarusG
Contributor
Contributor
‎2024-05-08 04:40 AM

NET::ERR_CERT_COMMON_NAME_INVALID GAIA Portal.

Hi

A customer has a requirement to prevent this message from appearing when accessing GAIA.

I am aware of  sk174383.

However I have explained that this certificate is generated automatically by the system and pragmatically the fact that you trust the Checkpoint ICA, and all certificates signed by it, should be sufficient to mitigate any concerns.

The customer could generate a CSR and submit to an internal PKI I guess as per sk69660.

But that's quite a lot of work to do per gateway (they have a large estate) and every time the certificate expires.

The customer also has no internal PKI and I see no reason why they should pay for third party certificates just so a malicious user would trust the certificate chain.

I also suggested they export the certificate chain and push out by GPO but this will still likely get picked up by external scans and tests.

So my question is: is there any way to influence the behaviour of the SAN via the built in ICA to avoid this problem going forwards?

Is this something that is being looked at for upcoming JHF?

Am I just being dumb and missing something obvious? 🙂

Any Input would be appreciated - thanks!

0 Kudos
8 Replies
the_rock
Legend
Legend
‎2024-05-08 05:47 AM

I dont think you are missing anything, that sk seems valid for the issue they have. Just curious, does it make any difference if they try private browser window?

Andy

0 Kudos
LazarusG
Contributor
Contributor
‎2024-05-10 02:30 AM
In response to the_rock

Hi unfortunately not and it seems exporting the ICA cert and importing to the Root Certificate store on the PC doesn't solve the issue (even if the appliance gaia cert is also imported into Personal and the chain is shown as OK in mmc).

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-08 04:02 PM

The certificate for the Gaia portal is not generated via the ICA.
There appears to be a procedure to add information to the SAN for the Gaia Portal Certificate in sk97648, but the SK is internal.
Please consult with TAC: https://help.checkpoint.com 

0 Kudos
LazarusG
Contributor
Contributor
‎2024-05-10 02:33 AM
In response to PhoneBoy

Thanks Phone boy, Can I clarify on the signing? I just exported the gateway cert from the Gaia browser and added it to personal store but it was shown as untrusted. I then exported the ICA cert from Smartconsole and imported to root store and now the certificate chain is shown as ok.

I will maybe engage TAC but if customers will have requirements to address this browser warning it would be good if it was something we could influence easily (or automatically in the system without effort on customer part).

I just found sk181410 which looks like this would address the issue (?) still seems like a lot of effort for something that 'isn't' broken just to make a browser happy.

##update although I didn't get this Phoneboy so apologies (I thought the appliance gaia cert was chained)
sk181410
"Note - Each Gaia OS has a unique self-signed certificate"

##Update again = ok so I was confused, when a firewall is built it has a self signed cert, but if you enable VPN blade and push policy the gai cert becomes the vpn cert - which is signed by the ICA.

So it seems we need to follow sk181410 to generate new self signed certs that satisfy the browser CN/SAN requirements - and/or renew the vpn cert with additional criteria? 

 

 

the_rock
Legend
Legend
‎2024-05-10 06:51 PM
In response to LazarusG

Maybe TAC case is not a bad idea, just to confirm the steps, but sounds logical to me.

Andy

0 Kudos
LazarusG
Contributor
Contributor
‎2024-05-13 05:02 AM
In response to the_rock

looks like sk181410 made the mgmt server agreeable to the browser.

Then adding the ICA cert and vpn gateway cert to the trusted and personal store made the vpn gateway ok too

0 Kudos
the_rock
Legend
Legend
‎2024-05-13 09:39 AM
In response to LazarusG

That fixed it?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-13 09:30 AM
In response to LazarusG

sk181410 looks like the correct procedure in this case, yes.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events