This step by step tutorial explains how to install an SSL Certificate and generate a CSR code on Checkpoint VPN gateway appliance. Besides the configuration instructions, you will also learn a few interesting facts about Checkpoint, as well as discover the best place to shop for SSL Certificates.
Table of Contents
- Step 1: Get the root and intermediate certs
- Step 2: Import your root and intermediate certificates
- Step 3: Generate the CSR request on Checkpoint VPN
- Step 4: Install an SSL Certificate on Checkpoint VPN
- Test your SSL installation
- Where to buy the best SSL Certificate for Checkpoint VPN?
Creating a CSR (Certificate Signing Request) code is a mandatory pre-installation step every SSL applicant must perform. Usually, CSR generation and SSL installation are separate from one another, but with Checkpoint VPN, things are not as straightforward.
Checkpoint asks users to install both Root and Intermediate CA before they can Generate their CSR code. Consequently, you will have to ask your SSL Vendor or CA provider for these two SSL files.
A root SSL certificate is a certificate issued by a trusted Certificate Authority (CA) that sits at the top of the SSL chain of trust. The root SSL Certificate is included in the browser’s trusted root store.
An intermediate CA certificate is a subordinate certificate signed by the trusted root to issue end-user server certificates. It resides below the root certificate in the SSL chain of trust hierarchy. The intermediate CA certificate offers another layer of security, as it’s not issued directly from the root store.
Step 1: Get the root and intermediate certs
In a typical SSL configuration, you receive all the necessary certificates after you generate the CSR Code and your CA validates your request. After the CA signs an SSL Certificate, it sends a ZIP folder with the installation files to the applicant’s email.
Since Checkpoint VPN works the other way around, you have no choice but to contact your SSL vendor and ask for the x509/pem versions of your root and intermediate certificates.
Step 2: Import your root and intermediate certificates
Prepare your root and intermediate certificates. Make sure each certificate is in its own text file with a .crt extension. You can use any text editor such as Notepad to create the .crt files
Note: Some CAs require two intermediate certs for better browsers compatibility. You should create a separate .crt file for each certificate and install them one at a time.
- Log into your SmartDashboard Checkpoint GUI
- In the Servers and OPSEC Application tab go to Servers > Trusted CAs > New CA and click Trusted
- In the Certificate Authority Proprieties window, select the General tab and enter any name and comment in the Name and Comment fields. Click OK
- Next, move to the OPSEC PKI tab, and under Retrieve CL From, check only the HTTP Server(s) option
- Under Certificate, next to Get the CA Certificate from a file (obtained from the FW or CA Administrator), click on the Get button
- Browse and open your Root.crt certificate file. Click OK
- Go to Servers > Trusted CAs and look for your root CA certificates. If it’s there, the import was successful
- Now, import your intermediate certificate. Repeat steps 3, 4, 5 and 6 to upload your intermediate cert
- Browse and open your Intermediate.crt certificate file. Click OK
- Go to Servers > Trusted CAs and look for your root and intermediate certificates. If they are there, the import was successful.
Step 3: Generate the CSR request on Checkpoint VPN
- In your SmartDashboard, expand the Network Objects tab, right-click the CheckPoint gateway/cluster and select Edit
- In the Gateway Cluster Properties Window, from the left pane, select VPN then click Add
- In the Certificate Properties window, enter a Certificate Nickname of your choice
- In the same window, from the CA to enroll from the drop-down list, select the intermediate certificate you imported at point 2 from Step 2 above
- Hit the Generate button and then Yes
- In the Generate Certificate Request window in the DN box, you need to enter the following contact details, in a single long string, separated by commas. Please follow the examples below and enter your actual details:
- CN (Common Name): provide the FQDN (fully-qualified domain name you want to secure. For example, yourwebsite.com
Note: If you have a wildcard certificate, add an asterisk (*) in front of your domain name. For example, *.yourwebsite.com
- OU (Organizational Unit): name the unit within your organization requesting the SSL certificate. For instance, IT or Web Administration
- O (Organization): submit the full, legal name of your company. For example, GPI Holding LLC
- L (Locality): type the full name of the city where your company is registered. For example, San Jose
- ST (State or region): write the full name of the state or region where your company is located. For instance, California
- C (Country): enter the two-letter code of your country. For example, US. Here you can find the full list of country codes.
The whole string should look like this:
CN=yourwebsite.com, OU=IT, O=Your Company Name, L=City, ST=State, C=Country
- Click OK and return to the Gateway Cluster Properties, under VPN. You should see now a certificate request under the Nickname you created
- Click View to see your newly generated CSR code
- You can now copy the CSR content, including the BEGIN and END tags into a text editor of your choice and save the file on your device. Click Save to File to export your CSR code, then OK
You will need to use the CSR code during your SSL order with your vendor.
Step 4: Install an SSL Certificate on CheckPoint VPN
Since you’ve already imported the root and intermediate Certificates into CheckPoint, all that’s left is your primary SSL Certificate. You should receive it via email from your CA in a ZIP Folder. After you download and extract your primary SSL Certificate, please follow the steps below to complete the installation:
- In your Smart Dashboard, expand the Network Objects tree, right-click your CheckPoint gateway/cluster, and select Edit
- In the Gateway Cluster Properties window, choose VPN, then select the nickname you gave to your cert during CSR generation, at point 3 from Step 3 above. Click Complete
- Next, browse your SSL Certificate and click Open
- Double check the details of your certificate and click OK
Congratulations, you’ve successfully installed an SSL Certificate on CheckPoint VPN.
Test Your SSL Installation
After you install an SSL certificate on CheckPoint VPN, some SSL errors or vulnerabilities may still exist. To avoid potential trouble, it’s recommended to run a diagnostic test on your SSL installation. Plenty of SSL tools can instantly generate reports on your SSL Certificate.
Where to buy the best SSL Certificate for Checkpoint VPN?
When buying an SSL Certificate, you should consider three crucial aspects: validation type, price, and customer service. At SSL Dragon, we offer the entire range of SSL Certificate at affordable prices, backed by five-star customer service! Our SSL certificates are signed by renowned Certificate Authorities, and thus are compatible with the majority of VPN appliances, including CheckPoint. Whether you need a cheap Domain Validation certificate or a premium Extended Validation product we’ve got you covered.
SSL Dragon’s prices are the most competitive on the market, while our dedicated support team is highly appreciated by the existing customers.
If you don’t know what type of SSL certificate to choose, simply use our SSL Wizard and Certificate Filter tools. They will help you find the ideal SSL product for your website.
If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.