Using Symantec Verisign SSL Certificate for Check Point SSL VPN Mobile Access Portal

Mobile Blade has been enabled on Checkpoint Gateway from my series posts "Enable Checkpoint SSL VPN Remote Access: Step by Step Instruction Part 1 (Local User Authentication)".  Mobile Access portal by default will use self signed CA certificate which will cause a warning message from remote user's browser because of untrusted ssl certificate.

This post is to show all basic steps to how to get a CA signed certificate for Mobile Access Portal to avoid this kind of warning message.

1. Generate Certificate Signing Request (CSR)

From gateway expert mode, Run:
cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnf 
This command generates a private key.

for example:
cpopenssl req -new -out cert.csr -keyout keyfile.key -config $CPDIR/conf/openssl.cnf

It will ask you to enter password to protect your private key file.

2. Go to Symantec Trust Center to submit your CSR. Following screenshots show all steps to get a trial certs. 

After submission, it will take some days to get your certificate. The more details can be read from previous post:

• Use Symantec Verisign as OPSEC PKI to authenticate Checkpoint Site-to-Site IPSec VPN

3. Generate P12 certificate based on Verisign signed certificate and your private key file.

Third Party CA company will send you your certificate (received.crt), and the ca file bundle including Root CA and Intermediate CA files (ca_public_key.crt). For CA cert files, it may be just one bundle or multiple files. If it is multiple files, you will have to manually combine them together.

Following command will used to generate a P12 certificate based on CA signed certificate and your private key file.

cpopenssl pkcs12 -export -in received.crt -inkey keyfile.key -certfile ca_public_key.crt -out finalbundle.p12

During generation of P12 file, it will ask you the password of key file which you entered during generating CSR.

The second password is confusing here. It prompted to ask Expert Password and verify it again. Actually it is the password for your P12 cert.

note: when ftp out this cert, bin mode is mandatory to transfer this p12 cert file. I were using ASCII mode and got authentication failure in step 4.

4. Import P12 file into Mobile Portal

Click Mobile Access -> Portal Settings -> Import

 Selected finalbundle.p12 generated from step 3. It will ask you Password for PKCS#12 certificate, which is the step 3's expert password.

 View the certificate after imported it into portal.

5. Verify

Reference:

• Mobile Access Blade Configuration and Settings
• How to Generate a Certificate Signing Request for the Mobile Access Blade
• Use Symantec Verisign as OPSEC PKI to authenticate Checkpoint Site-to-Site IPSec VPN