Installing a 3rd party SSL certificate

[jrabbit]

I apologize if this is the wrong section or if the question has been answered before (I didn't find it). I'd like to import a pfx certificate for use with SSL Extender, but I can't find any documentation on this. I know how to generate a new certificate using the built in CA and how to assign that to SSL Extender but I can't see how to import a 3rd party one.

Any assistance would be greatly appreciated.

Jeremy

[BruceR]

I'm trying to do the same thing.

I assume you have to import the trusted root certs of 3rd party as a Trusted CA in the "Servers and OPSEC Applications" bit of SmartDashboard.

Then generate a CSR from the Enforcement module object. Under the VPN section, Add a new cert issued from the 3rd party root, then click on View and copy the CSR to your clipboard to send to the 3rd party so that they can generate the signed copy. When the cert comes back you can click on Complete and you then have a cert on the system. Then when the cert is on the system you can go to the SSL section under remote access and choose the 3rd part cert.

Hope this helps, if you have not figured it out for yourself yet.

Bruce

[jrabbit]

I am trying to use a wildcard certificate issued from an external ca for our domain. I can create a certificate using our internal ca but that won't help our remote access users, since I cannot always add our ca as a trusted authority. I would also rather not purchase another certificate if I can get this one to work.

[BruceR]

Again you need to get the trusted root certs from the external ca added to the SmartDashboard and generate a CSR from there.



I think with a wildcard cert the CN may need to be *.<yourdomain> , but the External CA can tell you about that.

[stretchy]

I did this using a temp Certificate. When I view I don't see the CSR. Can you explain what I am doing wrong?

I'm trying to do the same thing.

Then generate a CSR from the Enforcement module object. Under the VPN section, Add a new cert issued from the 3rd party root, then click on View and copy the CSR to your clipboard to send to the 3rd party so that they can generate the signed copy. .

Bruce

[rhmeyering]

You have to create a Certificate signing request (CSR) first from the SNX SmartCenter then you can import the SSL Certificate. These instructions are based on Versign. But the methodolgy should work for any trusted rool SSL Certificate vendor.

For VPN-1/Firewall-1 NG and above
Use procedure below, based on Internet Explorer 6:

1. Open IE 6. browser.
2. Select Tools --> Internet Options --> Content --> Certificates --> Trusted Root Authorities.
3. Locate "Verisign Trust Network" (Expires 8/1/2028)
4. Export the certificate,
Export the Verisign Trust Network to a file in Base64 Encoded X.509 [Verisign.CER] format.
5. Open Check Point SmartDashboard
6. Goto Manage - Servers and OPSEC Applications
7. Create a New Certificate Authority -> Trusted (OPSEC PKI).
8. On OPSEC PKI screen, select HTTP Servers. Click "Get" choose the certificate file that was exported in step 4 and then click "OK".
9. Edit Firewall/Cluster object --> VPN in the Certificates List
10. Click "Add" to add a new certificate to the Certificate List using the newly created CA.
Nickname: SNXCert (something else you like)
11. Click "Generate" and system creates a "Certificate Signing Request" (CSR). DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPAN Y,L=HOMETOWN,ST=YOURSTATE,C=US
Check the Box Define Alternate Names - pick FQDN and then email from the drop down list
Click Add [FQDN] - enter your alias FQDN, click Add [eamil] and enter your email address.
12. Click View and copy to clipboard or save to a text file (including BEGIN, END and dashes).
13. Copy this output into the Verisign enrollment form, on the Verisign web site.
14. Verisign signs the public key defined by the CSR and emails a digital certificate.
15. In SmartDashboard - Manage Servers and OPSEC Applications - Edit the OPSEC PKI CA created in step 7.
16. Select "Get" and import the digital certificate.
17. Edit the Cluster object --> VPN --> Certificate List field.
18. Select "Add", and add the new certificate.
19. Select the Verisign CA.
20. Select "Get"
21. Install the Security policy.
22. Edit the Cluster object --> Remote Access --> SSL Network Extender --> in the drop down list choose the verisign certificate and then click OK".
23. Install the Security Policy.

[dbs0026]

Can anyone update this as if they have had success?

We have SSL Network Extender/R65/Windows 2003, but I can't get the certificate to work.

[jmkeller]

Having the same issue, VeriSign will sign the CSR with their intermediate CA certificate. When I tried to complete the request, the import fails with:

"The direct CA certificate in the received chain doesn't match the CA
certificate for which you created the Certificate Request. Check that
the chain was received from the right CA"

I tried to create a cert file with both the Intermediate CA and the signed host certificate together in one file, which is the solution for the connectra product as well as what we've done for some Cisco ASAs that use VeriSign certificates.

Still have a Checkpoint TAC case open, all I get back are the docs using the VeriSign 'test' CA which direct signs CSRs.

-James

[mbutterfield]

I've had the same problems getting it to work with Verisign. I decided to try another CA. thawte - SSL certificates with extended validation from thawte the global SSL certificate authority. I did a 'trial' certificate and it worked right the first time.

Thawte even has a link to download copies of ALL of their CA certificates, so you know you have the right one.

[rhmeyering]

In some cases you have to create an External CA for both the CA Root Certificate and thier intermediate CA certificate. This is referred to as a chained CA cdertificate. Check Point is quite picky and requires that chained CA certificates contain the full FQDN chain in the intermediate certificate. I have had problems with Verisign, Thawte, GoDaddy and many other appear to work fine.

[JRhodes]

You have to create a Certificate signing request (CSR) first from the SNX SmartCenter then you can import the SSL Certificate. These instructions are based on Versign. But the methodolgy should work for any trusted rool SSL Certificate vendor.

For VPN-1/Firewall-1 NG and above
Use procedure below, based on Internet Explorer 6:

1. Open IE 6. browser.
2. Select Tools --> Internet Options --> Content --> Certificates --> Trusted Root Authorities.
3. Locate "Verisign Trust Network" (Expires 8/1/2028)
4. Export the certificate,
Export the Verisign Trust Network to a file in Base64 Encoded X.509 [Verisign.CER] format.
5. Open Check Point SmartDashboard
6. Goto Manage - Servers and OPSEC Applications
7. Create a New Certificate Authority -> Trusted (OPSEC PKI).
8. On OPSEC PKI screen, select HTTP Servers. Click "Get" choose the certificate file that was exported in step 4 and then click "OK".
9. Edit Firewall/Cluster object --> VPN in the Certificates List
10. Click "Add" to add a new certificate to the Certificate List using the newly created CA.
Nickname: SNXCert (something else you like)
11. Click "Generate" and system creates a "Certificate Signing Request" (CSR). DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPAN Y,L=HOMETOWN,ST=YOURSTATE,C=US
Check the Box Define Alternate Names - pick FQDN and then email from the drop down list
Click Add [FQDN] - enter your alias FQDN, click Add [eamil] and enter your email address.
12. Click View and copy to clipboard or save to a text file (including BEGIN, END and dashes).
13. Copy this output into the Verisign enrollment form, on the Verisign web site.
14. Verisign signs the public key defined by the CSR and emails a digital certificate.
15. In SmartDashboard - Manage Servers and OPSEC Applications - Edit the OPSEC PKI CA created in step 7.
16. Select "Get" and import the digital certificate.
17. Edit the Cluster object --> VPN --> Certificate List field.
18. Select "Add", and add the new certificate.
19. Select the Verisign CA.
20. Select "Get"
21. Install the Security policy.
22. Edit the Cluster object --> Remote Access --> SSL Network Extender --> in the drop down list choose the verisign certificate and then click OK".
23. Install the Security Policy.

When it comes time to renew the certificate, do I need to delete the old one and follow the same steps above? The renew button is greyed out on that CA, and I can not find any other way to replace the old certificate with the new one.

[yuwanthiran@hpe.com]

Hi there i have a follow up question.

When i am trying to regenerate a new CA I am getting the message saying "Certificate with the same DN already exist on [Cluster Name]"

My signed certificate has not expired and i would like to generate a new CA to have it signed. May i delete the old CA since i would like to use the same DN as previous ?

Will there be any impact if i delete the CA - I am assuming no.

My concern is, i see the same cert name assigned at the VPN Client page under the "the gateway authenticates with this certificate" drop down menu. - however, i am guessing this is not the CA, rather a signed certificate.

Please advice.

Thanks,
Yuwanthiran

[yuwanthiran@hpe.com]

When it comes time to renew the certificate, do I need to delete the old one and follow the same steps above? The renew button is greyed out on that CA, and I can not find any other way to replace the old certificate with the new one.

Do we have an answer to this ? Is it okay to delete the old CA when it is time to renew ?