Hi All,
We are using Checkpoint R81
Does anyone have a step by step process for updating checkpoint gateway portal certificates. I dont find the checkpoint documents very helpful.
Also can the updates can be done anytime without impacting services?
TIA
Hey.
You need a PFX/PKCS12/certificate with a password for the container.
Right now, Check Point still requires this PKCS12 certificate file to be created in the older legacy format. Easiest way to do it is to rebuild your PKCS12 file with “cpopenssl” provided by Check Point on their gaia platform.
Anyway, if you got this, head to your gateway and import your newly created SSL certificate via the import Button
At this time having the main URL point to something like an URL, like the one in the cert is recommended.
Probably the webportal will run on a different port, compared to where your SSL Clients connect, so lets take a look at these.
You got Portal Settings for your Mobile VPN Clients, your SSL VPN Clients (and to a certain degree SSL TLS for Mail).
If you change or import the new PKCS12 Cert all other portals (besides SSL for Mail) will use the new certificate. You get a warning. It is highly recommended to change the Main URL to the URI in the Cert.
Installing the Signed Certificate
To install the certificate:
Log in to SmartConsole.
From the left Navigation Toolbar, click Gateways & Servers.
Open the Gateway object.
In the navigation tree, click the appropriate Software Blade page:
Mobile Access > Portal Settings
In the Certificate section, click Import or Replace.
Install the Access Policy on the gateway.
Hi Cassiopei,
Thank you , I will check the settings tomorrow to confirm. Do you by chance know the openssl command needed to convert to PKCS12 cert ?
The firewalls are currently not on DNS and Gaia portal is currently accessed via IP. There are 8 firewalls. is it likely to cause any impact to blade services when updating to use local host file on management server to resolve name or adding firewalls to DNS ?
Also can they use a wild card cert or is it not recommended?
Hey again,
somehow my previous post was removed by Reddit. Maybe the crt file naming was suspicious to spam.
Anyway, my guess is you’re receiving your files in PEM format. Then you can export them to PKCS12 with openssl or in your case on the gaia platform with copenssl
copenssl pkcs12 -export -out certificate.p12 -inkey privatekey.key -in pubkey.crt -certfile intermediateca.crt
Some SSL vendors offer the option to download a PKCS12 with created in “legacy mode”
[ Removed by Reddit ]
Your firewalls have no DNS entry or your firewalls are not using DNS? I think it’s the former, as the latter is highly unlikely.
Just creating a forward entry in your DNS will not create a problem. Creating a reverse entry may cause local log entries on the firewalls to show the name (depending on the /etc/hosts configuration), which has no impact on the blades.
As always with DNS take this with a grain of salt. There is stuff that can go wrong, especially with old and weird configurations on external machines, that provide services to the firewalls.
Ofc you can use a local host file on the management client, to access the portal with no impact to any service.
Overall, it’s very unlikely to cause any impact to blade services.
If you change the URI and certificate in the portal settings or VPN/Mobile Access settings, be aware that you will lose the self-signed certificate. VPN clients will complain that their certificate (fingerprint) has changed.
Also can they use a wild card cert or is it not recommended?
You can use wildcard certs and many people do so. Whether it’s recommended? If you’re using your certs for i.e. vpn access, I personally think public accessible entry points should be using a regular, non-wildcard certificate. There are abstract security advantages of using a regular certificate. On the other hand there may be operational costs that favor wildcard certs.
Many thanks will try this and update you. May be a while as I have to go via change control
Yes correct firewalls have no DNS entry. Its a while since I used checkpoints. I dont see mobile access settings. The vpn cert has expired I need to renew that. There is a wild card cert on an XL gateway but browser still erroring , it already has a fingerprint hence needed to confirm if adding a local host entry on management server is cause any other issues.
