[jmkeller]

Having the same issue, VeriSign will sign the CSR with their intermediate CA certificate. When I tried to complete the request, the import fails with:

"The direct CA certificate in the received chain doesn't match the CA
certificate for which you created the Certificate Request. Check that
the chain was received from the right CA"

I tried to create a cert file with both the Intermediate CA and the signed host certificate together in one file, which is the solution for the connectra product as well as what we've done for some Cisco ASAs that use VeriSign certificates.

Still have a Checkpoint TAC case open, all I get back are the docs using the VeriSign 'test' CA which direct signs CSRs.

-James