Contact us at |support@ssldragon.com
  • install an ssl certificate on checkpoint

How to Install an SSL Certificate on Checkpoint VPN?

Friday, March 22nd, 2019

This step by step tutorial explains how to generate a CSR code and install an SSL Certificate on Checkpoint VPN gateway appliance. Besides the configuration instructions, you will also learn a few interesting facts about Checkpoint, as well as discover the best place to shop for SSL Certificates.

Generate a CSR Code on Checkpoint VPN
Install an SSL Certificate on Checkpoint VPN
Test your SSL installation
Checkpoint VPN history
Where to buy the best SSL Certificate for Checkpoint VPN?

Generate a CSR Code on Checkpoint VPN

Creating a CSR (Certificate Signing Request) code is a mandatory pre-installation step every SSL applicant must perform. Usually, CSR generation and SSL installation are separate from one another, but with Checkpoint VPN, things are not as straightforward.

Checkpoint asks users to install both Root and Intermediate CA before they can Generate their CSR code. Consequently, you will have to ask your SSL Vendor or CA provider for these two SSL files.

What is a root certificate?

A root SSL certificate is a certificate issued by a trusted Certificate Authority (CA) that sits at the top of the SSL chain of trust. The root SSL Certificate is included in the browser’s trusted root store.

What is an intermediate certificate?

An intermediate CA certificate is a subordinate certificate signed by the trusted root to issue end-user server certificates. It resides below the root certificate in the SSL chain of trust hierarchy. The intermediate CA certificate offers another layer of security, as it’s not issued directly from the root store.

How to get the root and intermediate certs?

In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.

Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and as for the x509/pem versions of your root and intermediate certificates.

Please follow the steps below to generate your CSR Code.

Import your root and intermediate certificates

  1. Prepare your root and intermediate certificates. Make sure each certificate is in its own text file with a .crt extension. You can use any text editor such as Notepad to create the .crt files

    Note: Some CAs require two intermediate certs for better browsers compatibility. You should create a separate .crt file for each certificate and install them one at a time.

  2. Log into your SmartDashboard Checkpoint GUI
  3. In the Servers and OPSEC Application tab go to > Servers > Trusted CAs > New CA and click Trusted
  4. In the Certificate Authority Proprieties window, select the General tab and enter any name and comment in the Name and Comment fields. Click OK
  5. Next, move to the OPSEC PKI tab, and under Retrieve CL From, check only the HTTP Server(s) option
  6. Under Certificate, next to Get the CA Certificate from a file (obtained from the FW or CA Administrator, click on the Get button
  7. Browse and open your Root.crt certificate file. Click OK
  8. Go to Servers > Trusted CAs and look for your root CA certificates. If it’s there, the import was successful
  9. Now, import your intermediate certificate. Repeat steps 3,4,5,6 to upload your intermediate cert
  10. Browse and open your Intermediate.crt certificate file. Click OK
  11. Go to Servers > Trusted CAs and look for your root and intermediate certificates. If they are there, the import was successful.

Generate the CSR request

  1. In your SmartDashboard, expand the Network Objects tab, right-click the CheckPoint gateway/cluster and select Edit
  2. In the Gateway Cluster Properties Window, from the left pane, select VPN then click Add
  3. In the Certificate Properties window, enter a Certificate Nickname of your choice
  4. In the same window, from the CA to enroll from the drop-down list, select the intermediate certificate you imported in step 10
  5. Hit the Generate button and then Yes
  6. In the Generate Certificate Request Window in the DN box, you need to enter the following contact details, in a single long string, separated by commas. Please follow the examples below and enter your actual details:
    • CN (Common Name): provide the FQDN (fully-qualified domain name you want to secure. For example, yourwebsite.com

      Note: If you have a wildcard certificate, add an asterisk (*) in front of your domain name. For example, *.yourwebsite.com

    • OU (Organizational Unit): name the unit within your organization requesting the SSL certificate. For instance, IT or Web Administration
    • O (Organization): submit the full, legal name of your company. For example, GPI Holding LLC
    • L (Locality): type the full name of the city where your company is registered. For example, San Jose
    • ST (State or region): write the full name of the state or region where your company is located. For instance, California
    • C (Country): enter the two-letter code of your country. For example, US. You can find more country codes here
      The whole string should look like this:
      CN=yourwebsite.com, OU=IT, O=Your Company Name, L=City, ST=State, C=Country
  7. Click OK and return to the Gateway Cluster Properties, under VPN. You should see now a certificate request under the Nickname you created
  8. Click View to see your newly generated CSR code
  9. You can now copy the CSR content, including the BEGIN and END tags into a text editor of your choice and save the file on your device. Click Save to File to export your CSR code, then OK
  10. You will need to use the CSR code during your SSL order with your vendor.

Install an SSL Certificate on CheckPoint

Since you’ve already imported the root and intermediate Certificates into CheckPoint, all that’s left is your primary SSL Certificate. You should receive it via email from your CA in a ZIP Folder. After you download and extract your primary SSL Certificate, please follow the steps below to complete the installation:

  1. In your SmartDashboard, expand the Network Objects tree, right-click your CheckPoint gateway/cluster, and select Edit
  2. In the Gateway Cluster Properties window, choose VPN, then select the Nickname you gave to your cert during CSR generation, in step 3. Click Complete
  3. Next, browse your SSL Certificate and click Open
  4. Double check the details of your certificate and click OK

Congratulations, you’ve successfully installed an SSL Certificate on CheckPoint VPN.

Test Your SSL Installation

After you install an SSL certificate on CheckPoint VPN, some SSL errors or vulnerabilities may still exist. To avoid potential trouble, it’s recommended to run a diagnostic test on your SSL installation. Plenty of SSL tools can instantly generate reports on your SSL Certificate. In this article, we’ve selected the best options.

Checkpoint history

Check Point Software Technologies Ltd. is an Israeli multinational company specializing in software and combined hardware and software products for IT security, including network security, endpoint security, mobile security, data security, and security management.

Founded by Ramat Gan in 1993, Check Point has acquired a number of impressive companies and divisions, including Nokia’s Security Appliances division in 2009.

Where to buy the best SSL Certificate for Checkpoint VPN?

When buying an SSL Certificate, you should consider three crucial aspects: validation type, price, and customer service. At SSL Dragon, we offer the entire range of SSL Certificate at affordable prices, backed by five-star customer service! Our SSL certificates are signed by renowned Certificate Authorities, and thus are compatible with the majority of VPN appliances, including CheckPoint. Whether you need a cheap Domain Validation certificate or a premium Extended Validation product we’ve got you covered. Here’s our full list of SSL certificate types:

SSL Dragon’s prices are the most competitive on the market, while our dedicated support team is highly appreciated by the existing customers. If you don’t know what type of SSL certificate to choose, simply use our SSL Wizard and Certificate Filter tools. They will help you find the ideal SSL product for your website.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.