This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jason_Yeung
Explorer
‎2018-07-17 07:33 PM

HTTPS Inspection with Mircosoft CA R80.10

As my client wants to use their own Microsoft AD server to generate certificate and import into Mgmt server for HTTP Inspection with outgoing traffic, we are using Internal CA certificate from Check Point Mgmt server itself and it is work.

My question is do we need to generate CSR and let their AD sign the certificate for this purpose? If yes, how to generate in platform R80.10? Hope you guys could provide me a details procedure. Thanks.

0 Kudos
1 Reply
Nüüül
Advisor
‎2018-07-18 01:18 AM

Hi Jason,

You won´t need to change the certificates on CP Management Server. You´ll need to install a new SubCA Certificate issued from Microsoft CA to the gateway.

As you have to import the certificate for this via the Smart Console from .pfx, you will have to create the CSR somewhere else, then let the AD CA sign the request and fullfill the procedure on the checkpoint. Then convert / export this to pfx+password pair.

As far as I remember, most Security Products based on Linux and similar have problems with certificate with RSASSA-PSS algorithm used. That can be kind of a show stopper.

Creating Request:

You can use openssl on the a Check Point machine (expert mode) or the windows certreq / certutil tools.

a hint, how to use openssl for creating a request and converting the certificate files to .pfx: 

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to... 

Signing the CSR on the Microsoft CA

Depending on the CA configuration and demands, you´ll have to create a new SubCA template, for example.

Now you can copy the cert file to the machine, where you created the csr and according to the link above convert to pfx and export the bundle to pfx file and password.

Copy the created file to your client.

Now you can install the certificate to the gateway using the .pfx file - described here:

Best Practices - HTTPS Inspection 

When you imported the certificate you should export the private key to somewhere, no one has access to, unless in case of emergency , and delete it from the local machine.

Hope it helped

Daniel

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events