Wednesday, September 11, 2013

Check Point VPN-1 NG : Usage of an OPSEC PKI as external Certificate Authority

Contents


    Import a new OPSEC PKI Certificate Authority

    Create a new Certifciate Authority by selecting the Servers and OPSEC Application tab, open Servers and then Certificate Authority.

    Specify proper name, description and type (here we are using XCA as PKI tool, which is of type OPSEC PKI):

    Import of the external Certificate Authority

    Select a Certificate Authority file for input

    Import the external Certificate Authority by selecting the proper file:
    Note: using XCA as PKI tool, under tab Certificates select the CA, then Export -> FileExport FormatPEM
    Disable also the retrieving of CRLs for now, except you have already setup an LDAP or HTTP server which contain the CRL of choosen CA.

    Verification of the choosen Certificate Authority file:

    After successful verification (e.g. comparing DN and fingerprint), accept the import.

    Advanced settings

    There is currently no need to touch the default values in Advanced settings.

    Result

    As result you get a second Certificate Authority beneath the already existing internal_ca:


    Use of an OPSEC PKI for IKE authentication

    Create a certificate request of the Check Point VPN-1 object for later signing by the external PKI:


    If you can't specify subject alternative name later in the PKI tool, specify it in the request like (note that XCA at least version 0.4.5 don't care about subject alternative name in requests, they will be overwritten or removed on signing step):

    Export the certificate request via copy & paste from the View:

    Sign certificate request of module by exernal PKI tool

    1. Create an empty PEM file on floppy disk (here: PKIcert-checkpoint-request.pem)
    2. Open this file with notepad editor, select Format -> Word Wrap
    3. Paste the certificate request into
    4. Important: rewrite the non existent line breaks on all lines
    5. Deselect Format -> Word Wrap, if view is no longer equal, you have step 4 not done completly
    6. Save and close file
    7. Transfer request to the PKI tool
    8. Import the request in the PKI tool
    9. Sign the request
      • Attention: because of the Check Point VPN-1 currenty still sending on IKE authentication its ID_IPV4_ADDR, which is not contained by the certificate of the internal_ca, you have to add this on the certificate signed by the external CA.
        • Using XCA: specify on subject alternative nameIP:1.2.3.4
    10. Save signed certificate to floppy disk

    Import signed certificate

    Verify the certificate:
    Accept the certificate.
    The firewall object now has 2 certificates installed:

    Force use of this certificate by selecting the CA on a locally managed gateway

    Configure matching criteria for externally managed gateway or interoperable device

    Select OPSEC PKI, additionally, you can extend the matching criteria by DN, IPv4 address and e-mail (specified in subject alternative names) contained by the externally managed gateway or interoperable device certificate.

    No comments: