 | ||
 certificates | ||
| CPUG | |
| The Check Point User Group | |
| A Resource For The Check Point Community. Fast. Useful. Independent. | |
|
| |||||||
 |
| | LinkBack | Thread Tools | Display Modes |
 2007-07-12 | |||
| |||
 certificates Certificates Hi people! Wonder if you might be able to help………I’m trying to convert a “.cer” certificate file to a PEM format. I managed this by using the p12toPem tool but when I add the certificate in connectra it just sat there looking at me.? Is there a tool to just convert the .cer file to Pem without all the cack methods of importing exporting blah blah blah. Cheers Dan  |
| 2007-07-12 | |||
| |||
| Re: certificates Oh, this is fun.... I sent a nice long doc up to the Check Point forum which they are looking to add as a technote as it explains how to use Intermediary CA certificates from Verisign. I think you will find your answer below. Cheers Greg ---- In the Connectra command line, in expert mode, run the following command: csr_gen <output filename> [Expert@connectra]# csr_gen connectra This creates the following output: /opt/CPcvpn-R60E/bin/csr_gen : Creating Key and Certificate Signing Request based on the following information : Key Size : rsa:2048 Number of days to certify the certificate for : 365 CSR output filename : connectra.csr Private Key output filename : connectra.key OpenSSL config file : /opt/CPcvpn-R60E/conf/openssl.cnf Do you want to continue (y/n)? [y] : Press <Enter> to accept the default. (Later it will be discussed how to change the defaults). You will see the following message: Do you want the private key file to be encrypted (recommended, but you'll need to remember the password till you install the signed certificate in Connectra) (y/n)? [y] : Press Enter to accept the default. The script will then invoke OpenSSL to create the key and the CSR according to these settings. You will see the following output: /opt/CPcvpn-R60E/bin/csr_gen : Executing <openssl req -new -newkey rsa:2048 -out connectra.csr -keyout connectra.key -days 365 -config /opt/CPcvpn-R60E/conf/openssl.cnf> Generating a 2048 bit RSA private key ......................................+++ .......+++ writing new private key to 'connectra.key' Enter PEM pass phrase: This message informs you about the creation of the server-key file and requests a password for encrypt it. (This password request is because “Y” was the answer to the last question). Enter a password and confirm as instructed. Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Fill the required data according to these guidelines. All fields are optional; the most important field is the Common Name. This should match your site name and Fully Qualified Domain Name (FQDN) - eg connectra.mycompany.com. A challenge password is not required. ----- Country Name (2 letter code) [AU]: GB State or Province Name (full name) [Some-State]: Berkshire Locality Name (eg, city) []: Windsor Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany.com Organizational Unit Name (eg, section) []: Network Security Common Name (eg, your name or your server's hostname) []: connectra.mycompany.com Email Address []: certificate_request@mycompany.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:. After completion, you will see a message displayed, similar to this: /opt/CPcvpn-R60E/bin/csr_gen: Operation Succeeded Your Private Key File is: connectra.key Your CSR File is: connectra.csr NOTE: You should pass the CSR file to your CA. When you get back the signed certificate file from the CA you'll need to install it in Connectra together with the Private Key file and with the password for it (in case you specified one) The results of the script are: · The file connectra.csr – send it to your certificate signing authority. You will then receive a signed certificate file for your server. · The file connectra.key – keep it. When you'll get above signed certificate file, you'll need to install them together in your Connectra using the management (under Settings->Server Certificate). In case you provided password for it – you'll need to remember it and provided it to Connectra in that installation. NOTE: If files with the names server1.csr or server1.key already exist on the machine, they will be overwritten without warning. Pass the CSR file to the Certificate Authority (Verisign), and keep the .key Private Key File. Make sure you remember the password (if any) for the Private Key File. SCP the Connectra.key file to your local hard disk for use when installing the certificate. The CA will return the Digital Certificate as an email Cut and paste everything including -----BEGIN CERTIFICATE----- through to -----END CERTIFICATE----- into a new file called Connectra.crt. Next open a web browser and go to the URL under the INTERMEDIATE CA CERTIFICATE section of the email – this is usually.. http://www.verisign.com/support/install/intermediate.html Copy and paste the certificate on this page onto the bottom of the Connectra.crt file created above. Save and exit the file . In our example, this file will now look like this. -----BEGIN CERTIFICATE----- MIIFChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXChMWVmVyaV NpZ24gVHJ1c3Qg ...etc...etc...etc...ChMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1U -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhk iG9w0BAQUFADBf ...etc...etc...etc...MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24 LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbi BBdXRob3JpdHkw -----END CERTIFICATE----- Open a web browser to the Connectra Administration portal. Your URL should look something like this: https://connectra.mycompany.com:4433/ Login as a Connectra Administrator and on the navigation tree, click Settings > Server Certificate. The Server Certificate page appears. Click Change Server Certificate. The Change Server Certificate window appears. You can either upload a server certificate or server certificate chain (received from a trusted CA, for example), or generate a self signed server certificate. To upload the server certificate chain to the Connectra gateway enter or browse to the Connectra.crt file in the Certificate file box, enter or browse to the Connectra.key file. If you specified a password for the certificate in the CSR (you should have done), check Use Password, and supply the password. Click Save and Install Policy. To overwrite the administration portal certificate with the end user certificate, we must replace the administration portal certificate. The administration portal certificate is not encrypted with a password, and the end user portal certificate is encrypted, therefore we must create an unencrypted version of the user portal certificate. To create an unencrypted version of the portal certificate, use the following OpenSSL commands: Important note: Please be sure to backup the old certificates before starting this change. You can get the current password by running GetServerSSLInfo (of course you need root permissions to do so). [Expert@connectra]# mkdir tmp [Expert@connectra]# cd tmp [Expert@connectra]# cp $CVPNDIR/var/ssl/server.p12 . [Expert@connectra]# openssl pkcs12 -in server.p12 -nokeys -out temp.crts -passin pass:"<password>" -nomacver [Expert@connectra]# openssl pkcs12 -in server.p12 -nocerts -out temp.key -passin pass:"<password>" -nomacver -nodes [Expert@connectra]# openssl pkcs12 -export -out new.p12 -in temp.crts -inkey temp.key -passout pass:"" [Expert@connectra]# cp new.p12 $WEBISDIR/servcert/servcert.p12 [Expert@connectra]# service CPwebis restart Shutting down cp_http_server_wd: [ OK ] Shutting down cpwmd_wd: [ OK ] Running cp_http_server_wd: [ OK ] Running cpwmd_wd [ OK ] After verifying that certificate has been correctly deployed, for security reasons, remove all the files from the tmp directory. |
| 2007-07-19 | |||
| |||
| Re: certificates I did not have to go to all that trouble. I took the verisign cert for the connectra and the intermediate cert for verisign and chained them together by pasting them both into notepad and saving the file as a .cer Installed it into connectra r62 and it worked fine. There is an sk on this somewhere. Of course it was not available when I went through trial and error. mike |
|
| Thread Tools | |
| Display Modes | |
| |
Linear Mode
