- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello!
We ran into a rather strange issue where we our mobile access clients suddently chooses the other certificate of the two, resulting in authentication issues when connecting to our site.
No changes have been made to either the client package, Check Point gateway or anything.
Before diving in too deeply, I just want to ask.
How does the Mobile Access client decide on which certificate in its list to present when connecting to its site?
It has worked without any client intervention before with auto-connect, but suddenly they get an authentication error and have to choose the correct certificate manually.
Any input here would be appreciated, so I know where to start looking.
What precise client and version on what precise gateway version?
In add-remove programs it is mentioned as Check Point VPN with version 98.61.2331, checked sk102150 but can't really find the exact version number there.
The client is Check Point Mobile.
We will start the process to upgrade to a newer version, but to my knowledge, no changes have been made to the firewall nor the client and its configuration during the holidays.
Only thing worth mentioning is that they may have had issues with the certificate enrollment, as the client started telling users that their certificate was expiring within x amount of days.
Check Point is not the Certificate enroller here.
So I was hoping to see if their certificate enrollment perhaps made any changes, which then changed the order of the certificate in some way or another.
Hence why I want to know how mobile access selects a certificate in its list if more are available.
My guess is it's E84.30.
Also, it's possible older certificates may need to be removed as the client is picking the "first" one (not necessarily the most recent one), at least based on my recent experience.
thanks for the input.
The current problem though is that another PKI's certificate is being selected as first.
Not that the old certificate in the valid PKI is being chosen.
So what decision-making process does it use to have a cert being considered first and what not?
Thanks again.
Just had time to troubleshoot this further.
So the problem isn't really it just automagically choosing another certificate in the list, it is due to certificate renewal in combination with auto-connect.
In the list, most if not all clients have at least two certificates to choose from, but the client has since long cached the certificate to use when auto-connecting.
What we saw, was when I renewed the certificate, and immediately rebooted my computer, we received the error that it was unable to find a valid certificate during auto connect.
I'm just assuming here, but I suppose it is looking for the old certificate prior to the renewal, and doesn't find the new one properly.
Is there a workaround to this? Working as intended? Newer version has a fix?
Thanks again.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY