This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Henkpoa
Explorer
‎2022-02-01 01:21 PM

Mobile Access Client Certificate auto choice

Hello!

We ran into a rather strange issue where we our mobile access clients suddently chooses the other certificate of the two, resulting in authentication issues when connecting to our site.

No changes have been made to either the client package, Check Point gateway or anything.

Before diving in too deeply, I just want to ask.

How does the Mobile Access client decide on which certificate in its list to present when connecting to its site?

It has worked without any client intervention before with auto-connect, but suddenly they get an authentication error and have to choose the correct certificate manually.

Any input here would be appreciated, so I know where to start looking.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-02-01 10:48 PM

What precise client and version on what precise gateway version?

0 Kudos
Henkpoa
Explorer
‎2022-02-01 11:50 PM
In response to PhoneBoy

In add-remove programs it is mentioned as Check Point VPN with version 98.61.2331, checked sk102150 but can't really find the exact version number there.
The client is Check Point Mobile.

We will start the process to upgrade to a newer version, but to my knowledge, no changes have been made to the firewall nor the client and its configuration during the holidays.

Only thing worth mentioning is that they may have had issues with the certificate enrollment, as the client started telling users that their certificate was expiring within x amount of days.

Check Point is not the Certificate enroller here.

So I was hoping to see if their certificate enrollment perhaps made any changes, which then changed the order of the certificate in some way or another.

Hence why I want to know how mobile access selects a certificate in its list if more are available.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-02-02 01:29 AM
In response to Henkpoa

My guess is it's E84.30.
Also, it's possible older certificates may need to be removed as the client is picking the "first" one (not necessarily the most recent one), at least based on my recent experience.

0 Kudos
Henkpoa
Explorer
‎2022-02-03 11:33 PM
In response to PhoneBoy

thanks for the input.

The current problem though is that another PKI's certificate is being selected as first.
Not that the old certificate in the valid PKI is being chosen.

So what decision-making process does it use to have a cert being considered first and what not?

Thanks again.

0 Kudos
Henkpoa
Explorer
‎2022-02-04 01:58 AM
In response to PhoneBoy

Just had time to troubleshoot this further.

So the problem isn't really it just automagically choosing another certificate in the list, it is due to certificate renewal in combination with auto-connect.

In the list, most if not all clients have at least two certificates to choose from, but the client has since long cached the certificate to use when auto-connecting.

What we saw, was when I renewed the certificate, and immediately rebooted my computer, we received the error that it was unable to find a valid certificate during auto connect.

I'm just assuming here, but I suppose it is looking for the old certificate prior to the renewal, and doesn't find the new one properly.

Is there a workaround to this? Working as intended? Newer version has a fix?

Thanks again.

0 Kudos