Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Jason_Yeung
Explorer

HTTPS Inspection with Mircosoft CA R80.10

As my client wants to use their own Microsoft AD server to generate certificate and import into Mgmt server for HTTP Inspection with outgoing traffic, we are using Internal CA certificate from Check Point Mgmt server itself and it is work.

My question is do we need to generate CSR and let their AD sign the certificate for this purpose? If yes, how to generate in platform R80.10? Hope you guys could provide me a details procedure. Thanks.

0 Kudos
1 Reply
Nüüül
Advisor

Hi Jason,

You won´t need to change the certificates on CP Management Server. You´ll need to install a new SubCA Certificate issued from Microsoft CA to the gateway.

As you have to import the certificate for this via the Smart Console from .pfx, you will have to create the CSR somewhere else, then let the AD CA sign the request and fullfill the procedure on the checkpoint. Then convert / export this to pfx+password pair.

As far as I remember, most Security Products based on Linux and similar have problems with certificate with RSASSA-PSS algorithm used. That can be kind of a show stopper.

Creating Request:

You can use openssl on the a Check Point machine (expert mode) or the windows certreq / certutil tools.

a hint, how to use openssl for creating a request and converting the certificate files to .pfx: 

How to generate Server Certificate Signing Request (CSR) and import the new 3rd Party certificate to... 

Signing the CSR on the Microsoft CA

Depending on the CA configuration and demands, you´ll have to create a new SubCA template, for example.

Now you can copy the cert file to the machine, where you created the csr and according to the link above convert to pfx and export the bundle to pfx file and password.

Copy the created file to your client.

Now you can install the certificate to the gateway using the .pfx file - described here:

Best Practices - HTTPS Inspection 

When you imported the certificate you should export the private key to somewhere, no one has access to, unless in case of emergency , and delete it from the local machine.

Hope it helped

Daniel

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events