With Check Point software it’s very easy to configure client authentication over https or SSL VPN with the SSL Network Extender (SNX).
But unfortunately, Check Point presents a self-signed certificate from the internal CA to the users.
This warning message can be confusing for the users and even might not work, depending on the company policy and settings in the browser.
The better way is to have a certificate on the gateway that was issued from one of the big CA like Verisign, Thawte etc. and present this to the users.
Because these CAs are known to the browser as trustworthy, no error message appears while connecting.
I’m going to show you how to configure your gateway with a certificate from a 3rd party CA.
1. First, we need to create a trusted CA object under the Servers and OPSEC Applications section.
2. Then we give a name to the CA object and choose OPSEC PKI as CA type.
3. On the next tab you can import the CA certificate from a file.
Here you can also choose to do an automatic enrollment for certificate renewal over three different protocols. However, this isn’t supported by all CA. Personally I don’t do automatic renewals but do it by hand instead every time.
If you uncheck CRL retrieval from HTTP servers, all certificates will be trusted, wether revoked or not. For our purpose it’s ok to have this unchecked.
4. While importing the CA certificate you have to approve it.
5. Now we’re done with the CA object and can actually go to the gateway object.
6. Click on Add to create a new certificate. You’re asked for a Nickname of the certificate which is used in various places in the GUI and in config files. I would suggest to keep it short and descriptive. Choose to enroll this certificate from the CA created in the steps before.
7. At this point a CSR (certificate signing request) is going to be generated. The DN (Distinguished Name) has to be correct for the certificate to be created by the CA, so take good care here!
In our example we sign the certificate by United Internet CA and we have to use this DN for a gateway with the DNS name of fw.test.de
CN=fw.test.de,OU=Comodo InstantSSL,OU=Authorized by United SSL,OU=Authorized by United SSL,O=TEST GmbH,STREET=Test Straße 90,L=Hamburg,ST=Hamburg,OID.2.5.4.17=22159,C=DE
Alternatives DNS are defined as FQDN.
8. After filling in the details a CSR is presented. Copy it to the clipboard are save it to a file and hand it over to the CA you chose for signing. Make sure that the text is copied completely.
9. When the CA give you back your signed certificate, complete the process by selecting the appropriate nickname and click on Complete.
10. Load the certificate, accept it and attach it to the gateway.
11. Now you can choose this certificate to be presented when connecting to SSL Network Extender etc.
To use this certificate in client authentication you have to configure the file $FWDIR/conf/fwauthd.conf.
Change the entry to
900 fwssd in.ahclientd wait 900 ssl:fw.test.de
Tobias Lachmann