Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lama
Participant

SSL Self-Signed Certificate vulnerabily

Jump to solution

Hello, 

the Nessus scanner shows vulnerabilities on to the gateways because they use self-signed certificates at the web gaia level.
I want to import certificates signed with our certifications authority, but I am not sure of the impact it will have on the infrastructure, for example at SIC level ...

Thanks a lot

 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

To change the Gaia portal cert: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To my knowledge, you cannot change ICA to use a third party CA.
Most portals exposed to users (as well as VPN) can be configured to use a certificate signed by a different CA.

View solution in original post

7 Replies
_Val_
Admin
Admin

It is only vulnerability if you do not know who signed those certificates. No actual issue here

0 Kudos
lama
Participant

Thank you for you response 

 

What is the impact if i import certificates signed with our certifications authority on the infrastructure( at SIC level ...)

0 Kudos
_Val_
Admin
Admin

First, you do not want to change SIC certs, neither root, nor those issued. If you try, you will have to re-do all SIC with all GWs, not a good idea. 

If your concern is SSL certs only, identify which exact portals are in need to be changed. 

lama
Participant

Thanks for your rwply.

 

All what i want to do is changing certs on  gaia portal level and really don't want that to impact any other things like sic communication or cluster communication . If there is any doubt about that i will not do any change .

 

0 Kudos
PhoneBoy
Admin
Admin

To change the Gaia portal cert: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To my knowledge, you cannot change ICA to use a third party CA.
Most portals exposed to users (as well as VPN) can be configured to use a certificate signed by a different CA.

View solution in original post

lama
Participant

Hello @PhoneBoy 

 

Thank you very much for you reply,

I have one more question please, If i changed the Certificate used by platform portal, should i changed it for all other portals , since all portals on the same Security Gateway IP address use the same certificate ( https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_MobileAccess_AdminGuide/h... )

0 Kudos
PhoneBoy
Admin
Admin

You should be able to do that, yes.

0 Kudos