This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Juraj_Skalny
Contributor
‎2021-08-24 02:49 AM
Jump to solution

SSL wildcard certificate for firewall SAML portal

Hello,

 

I'm wondering if there is any way how to install a company ssl wildcard certificate for the firewall SAML portal in order to avoid browser security warnings. There is a post where it is indicated this works but there is no how to listed.

 

Thank you for your help,

 

Juraj

0 Kudos
1 Solution

Accepted Solutions
Juraj_Skalny
Contributor
‎2021-09-01 02:54 AM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy,

 

Thank you for the response!

 

For SAML authentication the certificate is being uploaded here. 

CaptureSAML.JPG

The primary concern was how to introduce a company wildcard already signed certificate (*.domain.com) to the firewall.

I only found  sk69660 describing a procedure starting with CSR and sending it to the 3rd part CA for signing etc.

But there is a way how to bypass CSR and proceed with already signed certificate.

we had a *x509.cer certificate with a *.key (private key) 

first step was to rename *x509.cer to *x509.crt 

make sure that the CRT file has the full certificate chain up to a trusted root CA.

second step was to combine *x509.crt with *.key 

this step is documented in sk69660

[Expert@gw]# cpopenssl pkcs12 -export -out Final_cert_name.p12 -in *x509.crt -inkey *.key

Then the last step is just to upload it to the portal settings according to your picture or the other picture.

All worked like a charm.

 

Thanks,

 

Juraj

 

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2021-08-26 08:25 AM
Jump to solution

Pretty sure this is where you configure it:


image.png

0 Kudos
Juraj_Skalny
Contributor
‎2021-09-01 02:54 AM
In response to PhoneBoy
Jump to solution

Hello PhoneBoy,

 

Thank you for the response!

 

For SAML authentication the certificate is being uploaded here. 

CaptureSAML.JPG

The primary concern was how to introduce a company wildcard already signed certificate (*.domain.com) to the firewall.

I only found  sk69660 describing a procedure starting with CSR and sending it to the 3rd part CA for signing etc.

But there is a way how to bypass CSR and proceed with already signed certificate.

we had a *x509.cer certificate with a *.key (private key) 

first step was to rename *x509.cer to *x509.crt 

make sure that the CRT file has the full certificate chain up to a trusted root CA.

second step was to combine *x509.crt with *.key 

this step is documented in sk69660

[Expert@gw]# cpopenssl pkcs12 -export -out Final_cert_name.p12 -in *x509.crt -inkey *.key

Then the last step is just to upload it to the portal settings according to your picture or the other picture.

All worked like a charm.

 

Thanks,

 

Juraj

 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-09-01 06:55 AM
In response to Juraj_Skalny
Jump to solution

Ah, didn't know you were referring to the the SAML portal for Remote Access.
But yes, this makes sense: the cert you import needs to have the full certificate chain included and in the correct format.

0 Kudos
glyaskov
Explorer
‎2022-08-02 04:39 AM
In response to Juraj_Skalny
Jump to solution

Hello Juraj and PhoneBoy,

Following this post I was able to successfully import the wildcard certificate of our company *.domain.com. I have a DNS record for vpn.domain.com resolving to the firewall's external IP address. When creating the site I receive the warning message, which I have to Trust, stating that the presented certificate name *.domain.com differs from the site name vpn.domain.com. There is also a security alert appearing everytime the Secure Remote VPN client is started - leading to multiple complains from employees.

When I open the Main URL in a browser https://vpn.domain.com/saml-vpn it redirects to https://<firewal_external_ip>/saml-vpn/Access, which most probably causes the observed security alert.

Is there a way to replace the redirect url without recreating the IDP object?

Preview file
13 KB
0 Kudos
glyaskov
Explorer
‎2022-08-03 12:57 AM
In response to glyaskov
Jump to solution

Found the issue. It seems that the MULTIPORTAL_HOSTNAME variable in /opt/CPshrd-R81/conf/multiportal/httpd-conf/saml-vpn/httpd.conf keep the IPv4 address, instead of vpn.domain.com FQDN. The issue was fixed by manually editing the value.

0 Kudos