Customer is getting the Connection is not secure prompt before usercheck block page. Customer is quite cautious towards compliance and even the HTTPS Inspection Outbound certificate has been created with sha 256 algo.
As per customer HTTPS Usercheck Block page is not compliant as per there organization policy because it gives prompt for page being not secure
how to solve the same?
Dameon Welch Abernathy help here 
Please check if the UserCheck URL is changed to https. By default, it is http:
Additionally, make sure that once the https is enabled, the Root CA issuing the certificate is added to your clients' Trusted Root CAs IN ADDITION to the actual certificate for that of the UserCheck portal.
Otherwise, validation of the Issuing CA's certificate will fail.
You may find this of interest or help:
…possible reason you are keep getting the “untrusted” messages in the browsers is due to your CheckPoint Management Server’s certificate not being included in the Trusted Root CAs.
"This portal using an auto-generated certificate. You can import your own certificate" is actually referring to the VPN cert.
When browser sees the VPN cert, it is trying to verify who has issued it and if it can trust the issuer.
The VPN cert is issued not by the gateway, but by the Management Server.
For you not to see warnings for UserCheck and VPN, three certificates must be installed in each computer’s Trusted Root CAs:
See the screenshots below:
2. Exporting VPN Cert using Chrome
3., 4. Exporting VPN Cert Using Chrome continues
5. Saving VPN Cert
6. Navigating up the Certification path (In “General” tab, we are still looking at the VPN Certificate, but in Certification Path, we are moving to the Root)
7., 8. Root CA Certification export continues
9., 10. Root CA Certification export continues
11. Saving CheckPoint Management Root CA
12. All three certificates must be present in Trusted Root CAs on every computer to avoid certificate warnings with UserCheck and VPN.
Cheers,
Vladimir
If the CA that signed that certificate isn't trusted by the browser, you'll still get the error.
That's the issue you need to fix 
There's nothing wrong with using SHA256--no specific precautions are required that I am aware of.
I'm generating 2 certificate's through openssl (SHA256), one for HTTPS Inspection and other for Usercheck block page.
HTTPS inspection works fine but the Usercheck Block page doesn't work as expected.
As said earlier, My obervations:-
"If the CA that signed that certificate isn't trusted by the browser, you'll still get the error.
That's the issue you need to fix "
Have made both certificates CA as "Trusted Root Certification Authorities". Still getting ssl error for Usercheck Block Page 
I did all this before, will give it another shot.
Please check if the UserCheck URL is changed to https. By default, it is http:
Additionally, make sure that once the https is enabled, the Root CA issuing the certificate is added to your clients' Trusted Root CAs IN ADDITION to the actual certificate for that of the UserCheck portal.
Otherwise, validation of the Issuing CA's certificate will fail.
You may find this of interest or help:
…possible reason you are keep getting the “untrusted” messages in the browsers is due to your CheckPoint Management Server’s certificate not being included in the Trusted Root CAs.
"This portal using an auto-generated certificate. You can import your own certificate" is actually referring to the VPN cert.
When browser sees the VPN cert, it is trying to verify who has issued it and if it can trust the issuer.
The VPN cert is issued not by the gateway, but by the Management Server.
For you not to see warnings for UserCheck and VPN, three certificates must be installed in each computer’s Trusted Root CAs:
See the screenshots below:
2. Exporting VPN Cert using Chrome
3., 4. Exporting VPN Cert Using Chrome continues
5. Saving VPN Cert
6. Navigating up the Certification path (In “General” tab, we are still looking at the VPN Certificate, but in Certification Path, we are moving to the Root)
7., 8. Root CA Certification export continues
9., 10. Root CA Certification export continues
11. Saving CheckPoint Management Root CA
12. All three certificates must be present in Trusted Root CAs on every computer to avoid certificate warnings with UserCheck and VPN.
Cheers,
Vladimir
Thanks Vladimir Yakovlev & Dameon Welch Abernathy.
Such detailed explanation, it becomes really helpful to everyone.
The certificate issued by the Management to the Gateway (Server Certificate) also contains IP address as a Alternate Subject Name.
I was able to drill down the issue with our Customer regarding this.
Customer changed the Gateway Cluster Object's IP address which changed the Platform & Usercheck Portal's Main URL.
Browser's opened Block Page on the new URL and the certificate didn't match the URL w.r.t. Alternate Subject Name.
Hence the error ERR_CERT_COMMON_NAME_INVALID (Chrome)
We can renew the certificate and update other interface IP also (if required)
Once certificate was renewed and published to user's, No error prompt in browser's faced by user's.
Note:- When creating a Certificate from Organizational Internal CA then also it important to mention the Subject Alternate Name.
Sorry for such late reply
Additional Reference :- UserCheck redirects to HTTPS even when UserCheck Portal is configured as HTTP
Hello,
I was able to do it, but i searched a bit before finding it
From Windows, certificate authority and generate a dedicated WebServer template.
-> That can be exportable with Private key
-> One that i can change the "Issued To"
-> I've then made a request via MMC -> Local Computer
And it works in a domain environment.
Everybody if is trusting the domain (which is normal by default in Windows domain as it was issued by the domain CA) will work like a charm
Kind regards,
David.D
Few years later, but anyway, in case anyone is looking for solution:
The short answer, if the users are external to your organization and the certificate is self-signed is a no.
What you are asking is to install an unsanctioned by user untrusted CA.
To make this work properly, generate CRL for publicly trusted CA, get the paid certificate and import it in Portal Access Settings for Browser-Based Authentication.
Use this for references on how to create CSR:
How to generate the Wildcard certificate (SAN) CSR for Multi-Portal sk170395
| User | Count |
|---|---|
| 4 | |
| 3 | |
| 2 | |
| 2 | |
| 1 | |
| 1 |
Tue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 12 Nov 2024 @ 02:00 PM (CET)
Part 1: Harnessing AI to Prevent Cyber Attacks and Enhance Defense - EMEATue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
