CREATE CSR AND INSTALL SSL ONTO A CHECKPOINT VPN APPLIANCE
Add a Root Certificate and Subordinate (Intermediate Certificate) & Create CSR
If you already added a root and intermedicate certificate, and you have your SSL Certificate and just need to install it, see Install SSL onto a Checkpoint VPN Appliance.
HOW TO CREATE YOUR CSR FOR A CHECHPOINT VPN APPLIANCE
Add the Root Certificate
1. Open the SmartDashboard so you can see all of your network devices.
2. Right-click on Trusted CAs and then click New CA > Trusted.
3. In the Certificate Authority Properties window, on the General tab, in the Name box, enter a name for the root certificate (e.g. TRUSTZONE_Root).
4. On the OPSEC PKI tab, check HTTP Server(s).
5. Next, click Get and browse to and open the TrustedRoot.crt file that TRUSTZONE sent to you and then click OK.
6. In the Certificate Authority Certificate View window, click Ok to trust this Certificate Authority root certificate.
ADD THE INTERMEDIATE CERTIFICATE
7. In the SmartDashboard, right-click on Trusted CAs and then click New CA > Subordinate.
8. In the Certificate Authority Properties window, on the General tab, in the Name box, enter a name for the Intermediate certificate (e.g. TRUSTZONE_Intermediate).
9. On the OPSEC PKI tab, click Get and browse to and open the IntermediateCA.crt file that TRUSTZONE sent to you and then click OK.
10. In the Certificate Authority Certificate View window, click Ok to trust this Certificate Authority intermediate certificate.
CREATE YOUR CSR
11. In the SmartDashboard, open the Device properties for the device you want the SSL certificate to be sent out from, click Add to create a CSR.
For example, go to Gateway Cluster > IPSec VPN > Add > Certificate Nickname (e.g. FQDN).
12. In the Certificate Properties window, enter the following information:
- Certificate Nickname: Enter a nickname for the certificate (e.g. TRUSTZONE or yourdomain.com).
- CA to enroll from: In the drop-down list, select the intermediate certificate that you added (e.g. TRUSTZONE_Intermediate).
13. When you are finished, click Generate.
14. In the Check Point SmartDashboard window, click Yes to generate the certificate for this node.
15. In the Generate Certificate Request window, in the DN box, enter CN=vpn.yourdomain.com and then, click OK.
Note: If you are getting a SAN certificate, click Define Alternate Names and when prompted specify those names.
16. Next, click View to see the CSR.
17. In the Certificate Request View window do the following and then click OK:
- Click Copy to Clipboard: Copies the certificate contents to the clipboard. If you use this option, we recommend that you paste the CSR into a tool such as Notepad. If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it.
- Click Save to File: Saves the CSR on your Checkpoint VPN Appliance. We recommend that you use this option.
18. Use a text editor to open the file. Then, copy the text, including the
—–BEGIN CERTIFICATE REQUEST—–
—–END CERTIFICATE REQUEST—–
tags, and paste it in to the TRUSTZONE order form.
Note: During your TRUSTZONE SSL Certificate ordering process, make sure that you select Other when asked to Select Server Software. This option ensures that you receive all the required certificates Checkpoint SSL Certificate installation.
19. After you receive your SSL Certificate from TRUSTZONE, you can install it.
INSTALLING THE CERTIFICATE TO THE CHECKPOINT DEVICE
- Open the Device you are going to have the SSL Certificate served from, then go to IPSec VPN click Complete, then find your_domain_com.crt then click Ok.
- If you are allowing Clientless VPN login, click that option then select the certificate for this specific gateway (cert nickname).
- To allow VPN Client login, click that option under IPSEC VPN, then choose ‘SSL Network extender’ and, select the certificate by it’s nickname and click Ok.
PUSH THIS POLICY TO DEVICES AND CLIENTS
- Click the Install policies button (next to green checkmark button above the ‘Anti-spam & Mail’ tab, and see image below)
- Select which Installation Targets the certificate will be sent to. You can choose to install this certificate on each gateway, by clicking the radio button, and as a safeguard you can click the box to not install it all if it fails. To help you track database changes, you can click the checkmark and name the database change and leave a comment about it.
This will reset the settings and push the new policy out to clients.
Last updated: August 4, 2017