CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 13 of 13

Thread: Installing a 3rd party SSL certificate

  1. #1
    Join Date
    2006-10-05
    Posts
    2
    Rep Power
    0

    Default Installing a 3rd party SSL certificate

    I apologize if this is the wrong section or if the question has been answered before (I didn't find it). I'd like to import a pfx certificate for use with SSL Extender, but I can't find any documentation on this. I know how to generate a new certificate using the built in CA and how to assign that to SSL Extender but I can't see how to import a 3rd party one.

    Any assistance would be greatly appreciated.

    Jeremy

  2. #2
    Join Date
    2006-04-26
    Posts
    33
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    I'm trying to do the same thing.

    I assume you have to import the trusted root certs of 3rd party as a Trusted CA in the "Servers and OPSEC Applications" bit of SmartDashboard.

    Then generate a CSR from the Enforcement module object. Under the VPN section, Add a new cert issued from the 3rd party root, then click on View and copy the CSR to your clipboard to send to the 3rd party so that they can generate the signed copy. When the cert comes back you can click on Complete and you then have a cert on the system. Then when the cert is on the system you can go to the SSL section under remote access and choose the 3rd part cert.

    Hope this helps, if you have not figured it out for yourself yet.

    Bruce

  3. #3
    Join Date
    2006-10-05
    Posts
    2
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    I am trying to use a wildcard certificate issued from an external ca for our domain. I can create a certificate using our internal ca but that won't help our remote access users, since I cannot always add our ca as a trusted authority. I would also rather not purchase another certificate if I can get this one to work.

  4. #4
    Join Date
    2006-04-26
    Posts
    33
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    Again you need to get the trusted root certs from the external ca added to the SmartDashboard and generate a CSR from there.



    I think with a wildcard cert the CN may need to be *.<yourdomain> , but the External CA can tell you about that.

  5. #5
    Join Date
    2007-04-20
    Posts
    2
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    I did this using a temp Certificate. When I view I don't see the CSR. Can you explain what I am doing wrong?

    Quote Originally Posted by BruceR View Post
    I'm trying to do the same thing.

    Then generate a CSR from the Enforcement module object. Under the VPN section, Add a new cert issued from the 3rd party root, then click on View and copy the CSR to your clipboard to send to the 3rd party so that they can generate the signed copy. .

    Bruce

  6. #6
    rhmeyering Guest

    Default Re: Installing a 3rd party SSL certificate

    You have to create a Certificate signing request (CSR) first from the SNX SmartCenter then you can import the SSL Certificate. These instructions are based on Versign. But the methodolgy should work for any trusted rool SSL Certificate vendor.

    For VPN-1/Firewall-1 NG and above
    Use procedure below, based on Internet Explorer 6:

    1. Open IE 6. browser.
    2. Select Tools --> Internet Options --> Content --> Certificates --> Trusted Root Authorities.
    3. Locate "Verisign Trust Network" (Expires 8/1/2028)
    4. Export the certificate,
    Export the Verisign Trust Network to a file in Base64 Encoded X.509 [Verisign.CER] format.
    5. Open Check Point SmartDashboard
    6. Goto Manage - Servers and OPSEC Applications
    7. Create a New Certificate Authority -> Trusted (OPSEC PKI).
    8. On OPSEC PKI screen, select HTTP Servers. Click "Get" choose the certificate file that was exported in step 4 and then click "OK".
    9. Edit Firewall/Cluster object --> VPN in the Certificates List
    10. Click "Add" to add a new certificate to the Certificate List using the newly created CA.
    Nickname: SNXCert (something else you like)
    11. Click "Generate" and system creates a "Certificate Signing Request" (CSR). DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPAN Y,L=HOMETOWN,ST=YOURSTATE,C=US
    Check the Box Define Alternate Names - pick FQDN and then email from the drop down list
    Click Add [FQDN] - enter your alias FQDN, click Add [eamil] and enter your email address.
    12. Click View and copy to clipboard or save to a text file (including BEGIN, END and dashes).
    13. Copy this output into the Verisign enrollment form, on the Verisign web site.
    14. Verisign signs the public key defined by the CSR and emails a digital certificate.
    15. In SmartDashboard - Manage Servers and OPSEC Applications - Edit the OPSEC PKI CA created in step 7.
    16. Select "Get" and import the digital certificate.
    17. Edit the Cluster object --> VPN --> Certificate List field.
    18. Select "Add", and add the new certificate.
    19. Select the Verisign CA.
    20. Select "Get"
    21. Install the Security policy.
    22. Edit the Cluster object --> Remote Access --> SSL Network Extender --> in the drop down list choose the verisign certificate and then click OK".
    23. Install the Security Policy.

  7. #7
    Join Date
    2008-01-18
    Posts
    7
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    Can anyone update this as if they have had success?

    We have SSL Network Extender/R65/Windows 2003, but I can't get the certificate to work.

  8. #8
    Join Date
    2006-07-20
    Posts
    3
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    Having the same issue, VeriSign will sign the CSR with their intermediate CA certificate. When I tried to complete the request, the import fails with:

    "The direct CA certificate in the received chain doesn't match the CA
    certificate for which you created the Certificate Request. Check that
    the chain was received from the right CA"

    I tried to create a cert file with both the Intermediate CA and the signed host certificate together in one file, which is the solution for the connectra product as well as what we've done for some Cisco ASAs that use VeriSign certificates.

    Still have a Checkpoint TAC case open, all I get back are the docs using the VeriSign 'test' CA which direct signs CSRs.

    -James

  9. #9
    Join Date
    2005-12-01
    Location
    Maryland
    Posts
    11
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    I've had the same problems getting it to work with Verisign. I decided to try another CA. thawte - SSL certificates with extended validation from thawte the global SSL certificate authority. I did a 'trial' certificate and it worked right the first time.

    Thawte even has a link to download copies of ALL of their CA certificates, so you know you have the right one.

  10. #10
    rhmeyering Guest

    Default Re: Installing a 3rd party SSL certificate

    In some cases you have to create an External CA for both the CA Root Certificate and thier intermediate CA certificate. This is referred to as a chained CA cdertificate. Check Point is quite picky and requires that chained CA certificates contain the full FQDN chain in the intermediate certificate. I have had problems with Verisign, Thawte, GoDaddy and many other appear to work fine.

  11. #11
    Join Date
    2010-01-11
    Posts
    1
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    Quote Originally Posted by rhmeyering View Post
    You have to create a Certificate signing request (CSR) first from the SNX SmartCenter then you can import the SSL Certificate. These instructions are based on Versign. But the methodolgy should work for any trusted rool SSL Certificate vendor.

    For VPN-1/Firewall-1 NG and above
    Use procedure below, based on Internet Explorer 6:

    1. Open IE 6. browser.
    2. Select Tools --> Internet Options --> Content --> Certificates --> Trusted Root Authorities.
    3. Locate "Verisign Trust Network" (Expires 8/1/2028)
    4. Export the certificate,
    Export the Verisign Trust Network to a file in Base64 Encoded X.509 [Verisign.CER] format.
    5. Open Check Point SmartDashboard
    6. Goto Manage - Servers and OPSEC Applications
    7. Create a New Certificate Authority -> Trusted (OPSEC PKI).
    8. On OPSEC PKI screen, select HTTP Servers. Click "Get" choose the certificate file that was exported in step 4 and then click "OK".
    9. Edit Firewall/Cluster object --> VPN in the Certificates List
    10. Click "Add" to add a new certificate to the Certificate List using the newly created CA.
    Nickname: SNXCert (something else you like)
    11. Click "Generate" and system creates a "Certificate Signing Request" (CSR). DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPAN Y,L=HOMETOWN,ST=YOURSTATE,C=US
    Check the Box Define Alternate Names - pick FQDN and then email from the drop down list
    Click Add [FQDN] - enter your alias FQDN, click Add [eamil] and enter your email address.
    12. Click View and copy to clipboard or save to a text file (including BEGIN, END and dashes).
    13. Copy this output into the Verisign enrollment form, on the Verisign web site.
    14. Verisign signs the public key defined by the CSR and emails a digital certificate.
    15. In SmartDashboard - Manage Servers and OPSEC Applications - Edit the OPSEC PKI CA created in step 7.
    16. Select "Get" and import the digital certificate.
    17. Edit the Cluster object --> VPN --> Certificate List field.
    18. Select "Add", and add the new certificate.
    19. Select the Verisign CA.
    20. Select "Get"
    21. Install the Security policy.
    22. Edit the Cluster object --> Remote Access --> SSL Network Extender --> in the drop down list choose the verisign certificate and then click OK".
    23. Install the Security Policy.
    When it comes time to renew the certificate, do I need to delete the old one and follow the same steps above? The renew button is greyed out on that CA, and I can not find any other way to replace the old certificate with the new one.

  12. #12
    Join Date
    2017-06-09
    Posts
    2
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    Hi there i have a follow up question.

    When i am trying to regenerate a new CA I am getting the message saying "Certificate with the same DN already exist on [Cluster Name]"

    My signed certificate has not expired and i would like to generate a new CA to have it signed. May i delete the old CA since i would like to use the same DN as previous ?

    Will there be any impact if i delete the CA - I am assuming no.

    My concern is, i see the same cert name assigned at the VPN Client page under the "the gateway authenticates with this certificate" drop down menu. - however, i am guessing this is not the CA, rather a signed certificate.

    Please advice.

    Thanks,
    Yuwanthiran

  13. #13
    Join Date
    2017-06-09
    Posts
    2
    Rep Power
    0

    Default Re: Installing a 3rd party SSL certificate

    Quote Originally Posted by JRhodes View Post
    When it comes time to renew the certificate, do I need to delete the old one and follow the same steps above? The renew button is greyed out on that CA, and I can not find any other way to replace the old certificate with the new one.
    Do we have an answer to this ? Is it okay to delete the old CA when it is time to renew ?

Similar Threads

  1. Installing a 3rd party SSL certificate
    By Maxim in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 8
    Last Post: 2016-06-01, 13:32
  2. Connect to site with 3rd party VPN klient?
    By AllanKjŠr in forum Check Point UTM-1 Appliances
    Replies: 2
    Last Post: 2008-12-19, 12:17
  3. VPN to Third Party Vendors Query
    By menz456 in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2008-06-19, 11:33
  4. Third-party Programs for Log Analysis
    By roadrunner in forum SmartView Tracker
    Replies: 0
    Last Post: 2005-08-13, 15:14
  5. Contact Auth Agent at Src, Dst, Third Party
    By Barry J. Stiefel in forum Authentication
    Replies: 0
    Last Post: 2005-08-12, 23:07

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •