Mobile Blade has been enabled on Checkpoint Gateway from my series posts “Enable Checkpoint SSL VPN Remote Access: Step by Step Instruction Part 1 (Local User Authentication)“. Mobile Access portal by default will use self signed CA certificate which will cause a warning message from remote user’s browser because of untrusted ssl certificate.
1. Generate Certificate Signing Request (CSR)
From gateway expert mode, Run:
cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnf
This command generates a private key.
cpopenssl req -new -out cert.csr -keyout keyfile.key -config $CPDIR/conf/openssl.cnf
It will ask you to enter password to protect your private key file.
2. Go to Symantec Trust Center to submit your CSR. Following screenshots show all steps to get a trial certs.
After submission, it will take some days to get your certificate. The more details can be read from previous post:
3. Generate P12 certificate based on Verisign signed certificate and your private key file.
Third Party CA company will send you your certificate (received.crt), and the ca file bundle including Root CA and Intermediate CA files (ca_public_key.crt). For CA cert files, it may be just one bundle or multiple files. If it is multiple files, you will have to manually combine them together.
Following command will used to generate a P12 certificate based on CA signed certificate and your private key file.
cpopenssl pkcs12 -export -in received.crt -inkey keyfile.key -certfile ca_public_key.crt -out finalbundle.p12
During generation of P12 file, it will ask you the password of key file which you entered during generating CSR.
The second password is confusing here. It prompted to ask Expert Password and verify it again. Actually it is the password for your P12 cert.
note: when ftp out this cert, bin mode is mandatory to transfer this p12 cert file. I were using ASCII mode and got authentication failure in step 4.
4. Import P12 file into Mobile Portal
Click Mobile Access -> Portal Settings -> Import
Selected finalbundle.p12 generated from step 3. It will ask you Password for PKCS#12 certificate, which is the step 3’s expert password.
View the certificate after imported it into portal.
- Mobile Access Blade Configuration and Settings
- How to Generate a Certificate Signing Request for the Mobile Access Blade
- Use Symantec Verisign as OPSEC PKI to authenticate Checkpoint Site-to-Site IPSec VPN