Creating CSR & Installation of SSL Certificates on a Checkpoint VPN Appliance
How to create CSR for a VPN Appliance
Adding the Root Certificate
- Access the SmartDashboard to view all devices on your network
- Right-click "Trusted CAs" and select the option New CA > Trusted
- The "Certificate Authority Properties" window will appear, which will require you to select the "General" tab. Once open, enter the name for your root certificate (e.g. SSL247_Root) in the "Name" box
- Select the "OPSEC PKI" tab, then check the "HTTP Server"
- By clicking "Get" you will be able to browse for the "TrustedRoot.CRT" file that was sent by SSL247. Select the file and click "OK"
- The "Certificate Authority - Certificate View" window will appear; click "OK" to enable trust in this CA's Root Certificate
Adding the Intermediate Certificate
- Using the SmartDashboard, right-click "Trusted CAs" then select "NEW CA > Subordinate"
- This will open the "Certificate Authority Properties" window, which will enable you to select the "General" tab. Enter your Intermediate Certificate name (e.g. SSL247_Intermediate) in the "Name" box.
- Once the "OPSEC PKI" tab appears, select "Get" to find the IntermediateCA.crt that was sent to you by SSL247, then click "OK"
- The "Certificate Authority - Certificate View" window will appear; select "OK" to enable trust in the CA's Intermediate Certficate
Create the CSR
- Access the SmartDashboard, then open the "Device" properties for the device from which you want the SSL Certificate to be sent out. Click "Add" to create the CSR.
EXAMPLE Gateway Cluster > IPSEC VPN > Add > Certificate Nickname (e.g. FQDN)
- The "Certificate Properties" window will appear; you will have to enter:
- Certificate Nickname: e.g. exampledomain.com
- CA to Enroll From: Select the added Intermediate from the dropdown list
- Once finished, select "Generate"
- The CheckPoint SmartDashboard window will appear; select "Yes" to generate this node's certificate
- In the "Generate Certificate Request" window, locate the "DN" box and enter: CN=VPN.exampledomain.com then click "OK"
NOTE If you are using a SAN Certificate, click "Define Alternate Names" and specify the particular names
- Select "View" to access your CSR
- When the "Certificate Request View" tab appears, perform the following:
- Select "Copy to Clipboard" (this will copy the contents of the certificate on the clipboard)
- Click "Save to File" - This will save the CSR on your VPN Appliance
- Use any text editor to open the file, then copy the contents in their entirety - (including "-----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- ")
- Following this, you should paste the contents into the "order form" supplied by the CA.
- After this process you will receive your SSL Certificate from the CA, so you can install it
Installing the Certificate to CheckPoint Device
- Open the device which will contain the SSL Certificate, then select "IPSEC VPN" > "Complete", which will enable you to find your "example_domain_com.cert" and click "OK"
- If you require the allowance of "VPN Client Login" then you will need to enable that option from "IPSEC VPN" by selecting "SSL Network Extender > Select by Nickname > OK"
Pushing Policies: Devices & Clients
- Select the "Install Policies" button
- Define which "Installation Targets" the certficate should be sent towards