This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
minhhaivietnam
Collaborator
‎2021-10-12 06:30 PM

Question about Https inspection Certificate upgrade

Hi experts,

My CLUSTER security gateway (R80.10) is using https inspection to control internet access. It is using certificate with SHA1. Now I need to upgrade SHA1 to SHA256.

I think I will follow sk115894 to generate new cert, but I still have some questions , please help clear, thank in advance:

>> I have a cluster, so where to generate cert (gateway 1 or 2 or on SMC) ?

>> After generating new cert, I will import cert into SMC as sk115894 guide. But about file server.key, its default location is /home/admin of firewall (where it was born) , so Do I need to move it to some required location?

 

>> If this new cert gets problem after activating on SMC (as sk115894 guide) , could I rollback to old cert like this below ?ca1.png

 

Thank you!!!

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-10-12 07:02 PM

First of all, R80.10 is very close to End of Support.
Also, HTTPS Inspection has been improved substantially in later versions and it's highly recommended you upgrade to at least R80.40.

Anyway, to your question: what you are generating in sk115894 is a Certificate Authority key.
You can generate the CA key on a gateway, management, or any other system.

When you upload the CA key via SmartConsole and push policy, the gateways will be updated with the new CA key, which will be used to generate certificates for HTTPS traffic. 
And, likewise, you can revert by simply uploading the old CA key and pushing policy.

minhhaivietnam
Collaborator
‎2021-10-12 07:49 PM
In response to PhoneBoy

Thank you mr PhoneBoy,

As I see when generating key as sk115894 , it also generates a private key (file called "server.key" in /home/admin). Do I need some actions on this file or leave it as default.

ca1.png

Thanks!!

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-12 08:11 PM
In response to minhhaivietnam

server.key is an intermediary file that is used to create the .p12 file, which is what is ultimately being uploaded.
Don't believe you need to do anything with the server.key file.

minhhaivietnam
Collaborator
‎2021-10-12 09:11 PM
In response to PhoneBoy

Thank PhoneBoy for instanting reply me.

I summary two ways , I can process my work:

1- upgrade to higher version checkpoint (ex R80.40)

2- if still R80.10, I generate a cert as SK above mentioned. Then I upload CA file (*.crt extension -> is this exactly?) to SMC, and then push policy, using GPO push crt file to PC desktop....

Thanks!

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-12 09:22 PM
In response to minhhaivietnam

Actually, you'll need to upload the new .p12 file regardless of what version you are on.
Upgrading to at least R80.40 is recommended for many many other reasons.

minhhaivietnam
Collaborator
‎2021-10-12 09:54 PM
In response to PhoneBoy

oh; I just see again, I need upload file *p12, not file *crt. 

In case of rollback to old cert, I also need file p12 of old cert, but when the time, I created old cert on smart console , I didn't know where *p12 file of old cert is located.

Could you please tell me where location on firewall is storing it ?

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-13 08:53 AM
In response to minhhaivietnam

I don't believe it is stored in a .p12 file or in any format that is easily extractable.
TAC might be able to assist here. 

Regardless, provided you've distributed the new CA key to the relevant clients, there shouldn't be an issue that requires you to back out.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events