Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Alias
Participant

Secure Domain Logon - Certificate is badly signed

Hey Mates,

we are using Remote Access VPN with 3rd party CA (Windows PKI) on a 80.20 setup.

When clients try to use the secure logon to connect prior to Windows login, the users get a failed connection with the error message "Certificate is badly signed". As soon, as the windows login is over, the Remote Access login works just fine.

Also, we switched our CA a while ago. This problem only happens with Certificates from the new CA, with certificates from the old ca domain logon works

I dont really understand how to read the "Certificate is badly signed" message

What does this mean? How can it be badly signed and then it is accepted 2 minutes later? Is this a CRL problem?

I would appreciate some input, if anybody had such an issue before

Cheers

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Did you import the CA key and all the intermediate certificates into the CA key store on the client?
When you imported the CA key into the gateway, did you also include any intermediate certificates?
At least from a few TAC cases, this seems to be one potential reason for the issue.

0 Kudos
Alias
Participant

Hey Phoneboy,

thank you for your reply

Yes, the CAs are correctly implemented on the clients and the gateway. Just for my own understanding, if it weren't correctly configured, the VPN shouldnt work at all?

I deactived the CRL checking on the gateway as described in sk21156 to see if it is a CRL problem, but it still doesn't work

 

0 Kudos
PhoneBoy
Admin
Admin

Would recommend opening a TAC here.

0 Kudos
Alias
Participant

Hey,

yeah, I am afraid I have to.

I tried a couple of things and I suspect it has to do with another issue I had a while ago with renewing a CA and posted here:

https://community.checkpoint.com/t5/Remote-Access-VPN/How-to-implement-a-renewed-3rd-Party-Issuing-C...

We'll see. Thanks for your help

Cheers

D

 

 

0 Kudos