Wednesday, February 15, 2012

Installing a 3rd party SSL certificate in Checkpoint Products

You have to create a Certificate signing request (CSR) first from the SNX SmartCenter then you can import the SSL Certificate. These instructions are based on Versign. But the methodolgy should work for any trusted rool SSL Certificate vendor.

For VPN-1/Firewall-1 NG and above
Use procedure below, based on Internet Explorer 6:

1. Open IE 6. browser.
2. Select Tools --> Internet Options --> Content --> Certificates --> Trusted Root Authorities.
3. Locate "Verisign Trust Network" (Expires 8/1/2028)
4. Export the certificate,
Export the Verisign Trust Network to a file in Base64 Encoded X.509 [Verisign.CER] format.
5. Open Check Point SmartDashboard
6. Goto Manage - Servers and OPSEC Applications
7. Create a New Certificate Authority -> Trusted (OPSEC PKI).
8. On OPSEC PKI screen, select HTTP Servers. Click "Get" choose the certificate file that was exported in step 4 and then click "OK".
9. Edit Firewall/Cluster object --> VPN in the Certificates List
10. Click "Add" to add a new certificate to the Certificate List using the newly created CA.
Nickname: SNXCert (something else you like)
11. Click "Generate" and system creates a "Certificate Signing Request" (CSR). DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPAN Y,L=HOMETOWN,ST=YOURSTATE,C=US
Check the Box Define Alternate Names - pick FQDN and then email from the drop down list
Click Add [FQDN] - enter your alias FQDN, click Add [eamil] and enter your email address.
12. Click View and copy to clipboard or save to a text file (including BEGIN, END and dashes).
13. Copy this output into the Verisign enrollment form, on the Verisign web site.
14. Verisign signs the public key defined by the CSR and emails a digital certificate.
15. In SmartDashboard - Manage Servers and OPSEC Applications - Edit the OPSEC PKI CA created in step 7.
16. Select "Get" and import the digital certificate.
17. Edit the Cluster object --> VPN --> Certificate List field.
18. Select "Add", and add the new certificate.
19. Select the Verisign CA.
20. Select "Get"
21. Install the Security policy.
22. Edit the Cluster object --> Remote Access --> SSL Network Extender --> in the drop down list choose the verisign certificate and then click OK".
23. Install the Security Policy.
---------------------------------------------------------------------------------------------------

 How To Install 3rd-party SSL Certificate
http://supportcontent.checkpoint.com/documentation_download?ID=11955
---------------------------------------------------------------------------------------------------

Workaround for Using 3rd-Party Server Certificates with Mobile Devices on R75/R75.10 Gateways

Solution ID: sk62884
Product: Mobile Access / SSL VPN
Version: R75.10, R75
OS: SecurePlatform
Platform: All
Date Created: 08-May-2011
Last Modified: 19-Dec-2011
Did this solution solve your problem?






[Click on the stars to rate]
Symptoms
  • Check Point Mobile for iPhone and Android devices refuses to connect to gateways with 3rd-party CA server certificates that are managed by R75/R75.10 Security Managements.
  • Trying to enroll for an ICA certificate for users in iPhone Mobile Access Client fails. The certificate is initialized in SmartDashbord.
  • During the failure, this log is seen in SmartView Tracker: "Establish trust with ICA failed. reason: There's no trusted server certificate by the given DN: CN=cnname,OU=ouname SSL Wildcard,OU=Provided by ouname,OU=unt,O=oname,ST=statename"
  • On the iPhone, this message is seen: "Enrollment failed, failed to establish trust."
Solution
Assuming that the 3rd-party server certificate was installed from SmartDashboard (which is the only correct way for R75/R75.10):
  1. Obtain a copy of the external CA server certificate's public file by exporting the certificate from SmartDashboard, using the 'View... > Details > Copy to file...' button. Select the "Base-64 encoded" file type.
  2. Place the file on the relevant gateway, at the '$CVPNDIR/var/ssl/server.crt' path. Rename the file extension to 'crt' if necessary. In case of a cluster, copy it to all members.
  3. Run the signing utility from the Security Management and make sure it reports success. (>certificate_signing_utility -upgrade)
  4. Install the policy.
  5. Connect with the mobile device to verify the configuration. 
------------------------------------------------------------------------------------------------

Anyone knows how to install a Verisign cert in PEM format and also intermediate Verisgin CA in Smart Dashboard or by command line in Connectra Console?
I have sent my CSR to VeriSgin and I have just receive my portal certificate and now I dont know how-to. Can´t find any document with instruction for R62CM procedure.

Solved!
Just cut & paste everything including
---BEGIN CERTIFICATE---
through to
---END CERTIFICATE---
Cut & paste also the intermediate cert that came in the same email received from VeriSign.
The second part starts also with
---BEGIN CERTIFICATE---
and end with
---END CERTIFICATE---
into a new file called connectra.crt. The file will look like this
---BEGIN CERTIFICATE---
MII(your ssl certificate)
---END CERTIFICATE---
---BEGIN CERTIFICATE---
MII(intermediate cert)
---END CERTIFICATE---
Upload file to connectra and run $CVPNDIR/bin/InstallCert <certfile> <keyfile> '<passwd>' where your "keyfile" is the previous key generate with the CSR utility and "passwd" is the password used with the utility. Execute the cvpnrestart command Pages 129 to 131 from R62CM AdminGuide explains well the procedure (except the part that we have to concate your cert and the intermediate cert in one).

One more thing that happened to me for the sake of future actions and no need to say but here it goes:
Keep your <certfile> and <keyfile> in a safe place and don't forget your <passwd>! If you need to reinstall Connectra as long as you keep the same Distinguish Name you can always reinstall ssl certificate with the above procedure.

--------------------------------------------------------------------------------------------

Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2011-08-16 10:01:20.0
TN 8025 - How do I install my certificate on a Checkpoint VPN appliance?
Question: How do I install my certificate on a Checkpoint VPN appliance?

Answer:

Obtain latest Entrust root certificate from:
http://www.entrust.net/developer/index.cfm
The appropriate cross certificate is presented to you when you obtain your certificate.

Step 1: Add the Entrust root certificate to your Checkpoint firewall:

1 - Go to Manage - Servers and OPSEC Applications.
2 - Create a New Certificate Authority > Trusted (OPSEC PKI).
3 – Name it Entrust_2048root. On the OPSEC PKI screen, select HTTP Servers. Click Get and point to the Entrust 2048 root certificate file that you downloaded.

Step 2: Add the Entrust L1C cross certificate:

1 - Goto Manage - Servers and OPSEC Applications
2 - Create a New Certificate Authority -> Trusted (OPSEC PKI)
3 – Name it Entrust_intermediate. On OPSEC PKI screen, select HTTP Servers. Click Get and point to Entrust intermediate certificate file that you downloaded.

Step 3: Generate your CSR:

1 - Click Add to add a new certificate to the Certificate List using intermediate CA that was created.
2 - Click Generate to have the system create a Certificate Signing Request (CSR).
DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPANY,L=HOMETOWN,ST=YOURSTATE,C=US
3 - Enable the box Define Alternate Names and pick an FQDN and email from the drop-down list.
4 - Click Add [FQDN]. Enter your alias FQDN. Click Add [email] and enter your email address.
5 - Click View and copy the text to the clipboard or save it to a text file (including BEGIN, END and
dashes).
Once you have your CSR, you can submit it to Entrust to be signed. Entrust will then send you back your certificate.

Step 4: Install the certificate:

1 – Copy the certificate into Notepad and save it as entrust.cer.
2 – Go to the Checkpoint Gateway page > VPN.
3 – Under Certificate List click Complete.
4 – Select the entrust.cer file that you created and click OK.

Step 5: Select the Entrust certificate for use with SSL Extender

1- Edit the gateway/cluster object and select Remote Access > SSL Clients.
2- Select the new Entrust certificate created in the drop-down list under the The gateway authenticates with this certificate: section and click OK.
3- Push the policy to the gateway/cluster.

You have now installed an Entrust certificate on a Checkpoint VPN appliance.

--------------------------------------------------------------------------------------------------

How to Import VeriSign Ceritificate to the Check Point firewall.

Resolution

To create a CSR using SmartDashboard follow the steps below.
Install the verisign root certificate and the appropriate intermediate certificate
1. Download the root certificate here VeriSign Root Certificate
2. Locate the intermediate certificate here VeriSign intermediate CA certificates - Copy it to notepad and save it as inter.cer
3. Open SmartDashboard > Manage > Servers and OPSEC Applications
4. Click New > CA > Trusted
5. Name it Verisign_Root, go to OPSEC PKI tab click Get select the Verisign Root certificate file saved earlier.
6. Click New > CA > Subordinate
7. Name it Verisign_Intermediate, go to OPSEC PKI tab click Get select the Verisign intermediate certificate created earlier.
Creating a CSR
1. Go to the Check Point Gateway page -> VPN
2. Under Certificate List click Add
3. Name your Certificate, select Verisign_Intermediate as the CA to enroll from:
4. Enter appropriate company details and common name for certificate.
Apply for your SSL certificate on your local VeriSign Homepage using the CSR created earlier. ( Select Apache as server platform)
To install the certificate.
1. Copy the certificate from the mail into notepad and save it as cert.cer
1. Go to the Check Point Gateway page > VPN
2. Under Certificate List click Complete
3. Select cert.cer click OK
Your certificate is installed and ready to use. Now assign it where its meant to be Used.

No comments: