Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Duminda_SAT
Participant

Mobile Access VPN CA Signed SSL Certificate create for Public IP

Jump to solution

Hi, 

We have a requirement for install Global CA Singed Certificate for Mobile VPN connections, I am aware of CP Gateway OpenSSL options to create the CSR and get the sign with FQDN for certificates, but the requirement is different customer does not have FQDN and need to generate CSR for the Public IPs this is a clustered environment and there are 3 Public IPS (VIP , Active , Standby). 

Please advise how to do this task.

Thank you.

0 Kudos
1 Solution

Accepted Solutions
funkylicious
Advisor

Hi,

This is the way I do it for all servers/appliances where I need a CSR to be signed.

1. create the config file with the attributes:

ssl.cnf

 

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = 
stateOrProvinceName = 
localityName = 
organizationName = 
organizationalUnitName = 
commonName = 
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = fqdn
DNS.2 = hostname
IP.1 = IP

 

 

2. generate the appropriate files

 

 

openssl req -nodes -newkey rsa:2048 -keyout $(hostname).key -out $(hostname).csr  -config ssl.cnf

 

In our case we should use cpopenssl instead of openssl

 

 

 

View solution in original post

7 Replies
G_W_Albrecht
Legend
Legend

sk170297 tells us:

  • Whenever possible, configure the Mobile Access portal URL to point to an FQDN with a 3rd-party CA-signed server certificate.
  • Otherwise, configure the Mobile Access portal URL to point to what the client's browser points to: If the Security Gateway is behind NAT, configure the external (visible) IP address, instead of the Security Gateway's private IP address (and the server certificate must also be signed to the external IP address).

In you case, the IP the client's browser points to is the VIP !

CCSE CCTE SMB Specialist
0 Kudos
tmorgan
Contributor

This strikes me as a bad idea... and I agree with what @G_W_Albrecht is saying. I would always use a domain name in the middle as it gives you the ability to redirect users to annother appliance if you are having a bad day. Use soemthing like NO-IP to get a free domain name. That being said I am pretty sure you will need to use openssl (the example below is from a Fedora Remix WSL instance).

Start by generating a private key (you want to keep this really secure). Replace any "82.0.0.1" with the public IP of your choice. The numbers at the start of the file name "20211113" is just the date it was created in UNC format. This date is not important but is very useful when your working with a lot of certificates.

[tmorgan@nagnai-tmor03 ~]$ openssl genrsa -out 20211013_82.0.0.1.pem.key 4096
Generating RSA private key, 4096 bit long modulus (2 primes)
...................................................................................................................++++
..............................................................................................................++++
e is 65537 (0x010001)

 

Then generate the CSR. Again replace the "82.0.0.1" IP Address with your IP address of choice. 

[tmorgan@nagnai-tmor03 ~]$ openssl req -new \
>      -key 20211013_82.0.0.1.pem.key \
>      -out 20211013_82.0.0.1.pem.csr \
>      -subj "/C=GB/ST=County/L=City/O=Customer /OU=IT services/CN=82.0.0.1" \
>      -addext "subjectAltName=IP.1:82.0.0.1"
[tmorgan@nagnai-tmor03 ~]$

 

From here you should then be able to read the CSR any make sure the content looks correct.

[tmorgan@nagnai-tmor03 ~]$ openssl req -noout -text -in 20211013_82.0.0.1.pem.csr
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: C = GB, ST = County, L = City, O = "Customer ", OU = IT services, CN = 82.0.0.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:d8:74:2b:50:bf:49:9d:a5:c8:68:c1:28:e3:c7:
                    25:3f:7b:7d:6b:84:04:06:88:f4:82:0d:6e:0d:4d:
                    f8:60:da:10:fa:71:67:4e:5c:1f:0f:fb:1f:52:29:
                    77:e0:f1:5b:8e:16:24:d2:53:15:ab:7e:58:d8:a1:
                    14:22:d6:fc:80:20:67:95:81:c9:9b:57:37:5f:b8:
                    fb:df:a5:93:ff:d8:3c:35:86:1f:39:79:68:44:1a:
                    b4:9e:52:94:50:bb:dd:12:20:0e:8e:a3:b0:ee:8d:
                    15:93:25:b9:ec:2f:16:a6:68:6f:46:99:09:d2:eb:
                    db:ca:74:af:1b:49:1a:ff:4b:7b:f6:4a:2d:3a:36:
                    4a:da:d2:f5:e7:68:94:b3:d5:fd:f0:88:b7:ce:92:
                    30:35:ad:3a:66:b4:1f:cc:05:a4:8e:cc:41:eb:a7:
                    5a:4e:d4:60:1c:6e:01:51:8a:94:c0:10:24:1f:3a:
                    dd:3d:90:65:25:2c:b5:49:a6:d2:ac:14:d2:40:d0:
                    f8:3c:f9:1e:ad:40:a5:61:e0:aa:ac:8b:ae:ed:52:
                    02:93:a7:e5:28:6d:74:72:ab:4f:1d:66:2d:d2:21:
                    64:cd:38:16:41:00:5c:6e:1e:48:8d:2a:a5:40:18:
                    df:e2:90:b9:5a:34:da:12:63:72:56:67:ef:b9:bd:
                    62:4d:8d:65:34:72:04:f2:7f:0c:ec:7d:86:6d:3d:
                    36:1a:0d:38:e0:b3:fa:33:8f:03:5c:7d:e1:2a:a3:
                    72:e1:c5:f5:b2:23:2f:2b:15:fa:ce:b5:52:0f:79:
                    77:3a:c3:cc:03:01:39:dd:2a:b4:92:71:12:39:60:
                    91:d4:3f:ba:f5:9d:7b:5d:2c:de:53:4c:8a:f5:b6:
                    86:3b:95:22:b5:e9:d1:6c:b7:57:aa:4f:88:4a:cc:
                    5a:51:3f:eb:f0:7c:a6:1e:14:2f:00:30:34:0e:40:
                    67:4e:76:b0:47:5d:7f:17:68:68:84:2f:7b:a6:a4:
                    aa:a8:9a:fc:b4:1d:58:2f:15:77:19:46:18:45:0f:
                    6e:e2:c8:c2:a4:8c:49:30:87:e1:85:b5:c5:de:bf:
                    8b:7b:cd:46:3e:bc:43:87:2a:79:05:20:ba:93:d3:
                    6f:5b:c1:0f:ef:9f:5a:c2:67:64:03:75:a2:98:ed:
                    87:48:01:e1:be:2d:c7:a9:52:c0:a3:e2:42:f7:27:
                    01:90:07:10:f2:9c:06:20:d5:7e:4c:15:11:d7:ff:
                    b0:c0:10:35:3b:89:a1:35:39:46:09:71:a1:c8:a5:
                    e2:3f:66:88:da:83:0f:f8:6d:ca:97:1b:11:34:33:
                    ca:e9:be:cf:5f:e8:f6:79:f0:e1:4c:c0:a9:c7:e7:
                    13:78:27
                Exponent: 65537 (0x10001)
        Attributes:
        Requested Extensions:
            X509v3 Subject Alternative Name:
                IP Address:82.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         56:54:d5:2a:3c:d3:f6:5f:18:30:7b:fd:22:5d:ba:8d:17:9f:
         e2:43:85:11:5c:c7:d8:0a:fc:2a:0b:57:25:95:6a:78:ec:76:
         99:2d:8a:a6:fd:80:4b:5d:57:27:8f:84:cb:b2:5f:1a:11:8b:
         c5:db:69:6c:cc:f8:42:a7:da:b0:80:b4:9a:b0:61:cc:82:62:
         a8:3c:89:00:f6:94:15:b7:49:09:d2:ae:53:1b:32:05:fc:df:
         c9:78:e1:fa:6e:45:dd:5b:bc:11:73:85:cf:f2:da:e0:f5:48:
         7f:a9:bc:3f:56:7f:dd:f1:a8:99:2a:a9:14:f2:3d:f4:91:68:
         c0:91:ce:71:1e:9c:1c:ad:49:3a:52:05:1e:69:c9:a4:32:a9:
         18:69:fa:d3:ad:c2:a1:5a:9c:73:f6:cb:d2:d2:7d:ef:f6:0f:
         6f:c8:c3:ec:7a:24:0e:eb:ab:40:6f:ab:6b:12:9b:28:f8:eb:
         69:11:d9:f8:23:71:61:f7:14:f3:ff:9b:d2:8b:fc:91:2f:a6:
         c4:c5:05:13:de:5f:92:6b:3e:c6:e6:38:78:23:fb:c6:03:b8:
         df:2b:f7:27:ec:15:80:fd:d4:83:bc:fa:cc:17:7d:69:33:5c:
         e0:01:41:55:c2:2d:2d:10:fa:53:91:3a:74:be:fd:24:ff:3e:
         35:83:10:6a:bc:9c:5f:fa:02:f0:69:26:fc:e2:13:1b:37:da:
         4b:69:fc:84:19:60:d4:c2:a5:01:46:ed:bb:61:dd:a9:f6:83:
         b8:81:ec:b6:29:55:4e:bf:3c:8a:24:ed:ce:d0:fe:8d:98:be:
         e4:4f:d9:1b:36:43:41:a2:d9:c1:59:e0:cd:c3:5b:d3:27:d6:
         11:30:29:18:41:43:99:df:cb:ef:07:62:90:6c:7c:42:a5:07:
         5f:ee:8c:92:cd:3f:22:4e:20:8c:22:1e:2a:0d:1b:d6:51:3c:
         8b:8d:24:e3:21:a7:04:4e:29:dd:b3:ec:44:c6:a4:72:70:56:
         95:e2:b9:cb:fa:97:6c:ed:3a:1a:2f:03:39:9d:1f:6c:6e:79:
         76:a3:10:3f:f6:6c:ba:2c:6a:22:ac:05:ae:79:21:f0:f6:dd:
         2a:db:05:98:a1:17:9e:2e:44:74:eb:a8:71:fe:37:9a:b7:bd:
         d2:23:99:24:f2:fe:c9:d3:9f:ef:c2:cf:f0:b3:db:41:17:b6:
         05:36:29:72:25:89:69:da:4d:5d:72:55:b5:a8:9f:5e:63:ad:
         2f:09:ba:9d:53:d1:41:20:ac:86:c7:e0:27:7e:78:b1:ae:59:
         34:b0:1b:ce:80:28:f2:52:ed:7b:ba:87:0b:76:13:f5:2a:34:
         d8:09:9c:ae:ef:c8:8d:7c
[tmorgan@nagnai-tmor03 ~]$

 

Please test this works by signing it against a free/internal CA first before spending any money on it as I have not had chance to sign this example and test it on a appliance running the VPN blade.

0 Kudos
tmorgan
Contributor

Just spotted the three IP requirement. I am pretty sure you only need to sign for the VIP but just in case maybe try this...

-addext "subjectAltName=IP.1:82.0.0.1,IP.2:82.0.0.2,IP.3:82.0.0.3"
0 Kudos
Duminda_SAT
Participant

Hi tmorgan & Albrecht

Thanks for the update, I have tried create csr using GAIA OS command I failed with below error . 

Command : 

cpopenssl req -new \
-key duminda.key \
-out duminda.csr \
-subj "/C=GB/ST=County/L=City/O=Customer /OU=IT services/CN=112.195.158.3" \
-addext "subjectAltName=IP.1:112.195.158.3

 

Error : 

"unknown option -addext"

0 Kudos
funkylicious
Advisor

Hi,

This is the way I do it for all servers/appliances where I need a CSR to be signed.

1. create the config file with the attributes:

ssl.cnf

 

[req]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = 
stateOrProvinceName = 
localityName = 
organizationName = 
organizationalUnitName = 
commonName = 
[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = fqdn
DNS.2 = hostname
IP.1 = IP

 

 

2. generate the appropriate files

 

 

openssl req -nodes -newkey rsa:2048 -keyout $(hostname).key -out $(hostname).csr  -config ssl.cnf

 

In our case we should use cpopenssl instead of openssl

 

 

 

View solution in original post

tmorgan
Contributor

I don’t normally do this on a Check Point. It is probably possible however Check Point doesn’t tend to work in the same way most other Linux distros work. As @funkylicious has already mentioned the standard command "openssl" that is the same one almost every Linux distro needs to be replaced with "cpopenssl" for Check Point. I tend to use WSL on my windows machine as I then have a vendor neutral method that I can use across multiple technologies.

If you are interested in the WSL approach I have just thrown together a guide here on how to setup WSL if it helps.... https://ramblings.nagronia.co.uk/2021/10/windows/windows-10-install-wsl-fedora-remix/

 

0 Kudos
Duminda_SAT
Participant

Hi, 

Thank you so much for the valuable response. 

 

Best Regards,

Duminda Lakmal

0 Kudos