bg-tutorials

How to Install an SSL Certificate on Checkpoint VPN

This tutorial shows you how to install an SSL certificate on a Check Point VPN gateway and how to generate the CSR (Certificate Signing Request) it needs.

Check Point works a little differently from most appliances: the certificate is bound to the Security Gateway object and applied through the management client, and the issuing CA chain has to be trusted before the server certificate will validate.

Check Point changed its management tooling over the years. On R80, R81.10, R81.20, and R82 (the versions in production support today) you manage everything from SmartConsole. On legacy R77.x and older deployments you use the standalone SmartDashboard client. This guide leads with the current SmartConsole workflow and keeps the legacy SmartDashboard steps at the end for older gateways.

Before the steps, two quick definitions. A root certificate is issued by a trusted Certificate Authority and sits at the top of the chain of trust; it ships in the browser’s trusted root store. An intermediate certificate is signed by that root and is what actually issues your end-entity (server) certificate. The intermediate adds a layer of security because day-to-day signing never happens directly from the root. Check Point needs both so it can build and validate the complete chain.

Step 1: Get the root and intermediate certificates

With most platforms, you generate the CSR first and receive every file afterward, once the CA validates your request. Check Point is more flexible: you can trust the CA chain first, which makes installing the final server certificate cleaner. Ask your SSL vendor or CA for the root and intermediate CA certificates in X.509 / PEM (Base64) format. These are public certificates, so any CA can supply them on request, and they are also published in the CA’s repository.

A PEM certificate is a plain-text block that begins with —–BEGIN CERTIFICATE—– and ends with —–END CERTIFICATE—–. Save each certificate in its own text file with a .crt extension. You can create the files in any plain-text editor such as Notepad. Do not use a word processor, which may add invisible formatting that corrupts the file.

Note: some CAs use two intermediate certificates for broader compatibility. Save each one as a separate .crt file and add them individually.

Step 2: Trust the root and intermediate certificates

On the current SmartConsole-based versions, you do not have to import the chain through a separate dialog the way the old SmartDashboard required. Instead, you bundle the full chain together with the server certificate later in Step 4, so the gateway receives the certificate and its issuers in one file. Keep the .crt files from Step 1 ready. You will need them to assemble that bundle.

If you also use these certificates elsewhere (for example to validate third-party peers in a site-to-site VPN), you can add them as trusted CAs in SmartConsole under Security Policies > Access Tools > Trusted CAs, then Install Policy. For the Mobile Access / VPN portal certificate covered here, bundling the chain in Step 4 is the supported approach.

Running a legacy R77.x gateway with the standalone SmartDashboard client? Use the legacy SmartDashboard procedure at the end of this tutorial, which imports the root and intermediate CAs explicitly under Servers > Trusted CAs.

Step 3: Generate the CSR on Check Point

On R80 and later, Check Point generates the portal server certificate’s CSR and private key at the command line on the gateway, using its built-in OpenSSL wrapper. Connect to the gateway over SSH, enter Expert mode, and run the following, replacing the file names with your own:

cpopenssl req -new -out /home/admin/yourwebsite.csr -keyout /home/admin/yourwebsite.key -config $CPDIR/conf/openssl.cnf

OpenSSL prompts you for a password to protect the private key, then for the certificate’s subject fields. Fill them in carefully. The Common Name must be the fully qualified domain name (FQDN) that users type to reach the VPN/portal:

  • Common Name (CN), the FQDN you want to secure, for example vpn.yourwebsite.com. For a wildcard certificate, put an asterisk in front of the domain, for example *.yourwebsite.com.
  • Organizational Unit (OU), the unit requesting the certificate, for example IT or Web Administration.
  • Organization (O), the full legal name of your company, for example GPI Holding LLC.
  • Locality (L), the full city name where your company is registered, for example San Jose.
  • State (ST), the full state or region name, for example California.
  • Country (C), the two-letter country code, for example US. You can find the full list of country codes online.

The resulting CSR file holds your details in a single subject (DN) string that looks like this:

CN=vpn.yourwebsite.com, OU=IT, O=Your Company Name, L=City, ST=State, C=Country

Open the .csr file in a text editor and copy its full contents, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– lines. You submit this CSR during your SSL order. Keep the matching .key private-key file safe on the gateway. You must not lose it, and you should never share it.

Tip: if you would rather not touch the command line, you can generate the CSR with our free CSR Generator and keep the private key it produces. Either way, the CSR is what your CA needs to issue the certificate.

Step 4: Install the SSL certificate on Check Point VPN

When validation is complete, your CA emails you the issued server certificate, usually in a ZIP archive alongside the chain. To import it through SmartConsole you need everything in one .p12 (PKCS#12) file: the server certificate, its private key, and the intermediate and root certificates. If you have the pieces as separate files, combine them with the gateway’s OpenSSL by running this in Expert mode:

cpopenssl pkcs12 -export -out /home/admin/yourwebsite.p12 -inkey /home/admin/yourwebsite.key -in /home/admin/yourwebsite.crt -certfile /home/admin/chain.crt

Here yourwebsite.crt is your server certificate, yourwebsite.key is the private key from Step 3, and chain.crt is the intermediate and root certificates concatenated into one file (intermediate first, then root). OpenSSL asks you to set an export password; you will type it again during import. With the .p12 ready, install it:

  1. Open SmartConsole and go to Gateways & Servers in the left navigation.
  2. Double-click your Security Gateway (or cluster) object to edit it.
  3. In the left pane, open the blade that serves your portal: Mobile Access > Portal Settings for the Mobile Access VPN portal, or Platform Portal for the Gaia management portal.
  4. In the Certificate section, click Import or Replace.
  5. Browse to your .p12 file, enter the export password you set, and confirm. SmartConsole reads the certificate, key, and chain from the file.
  6. Click OK to close the gateway object.
  7. Click Install Policy and push the policy to the gateway so the new certificate takes effect.

Congratulations, you have installed an SSL certificate on your Check Point VPN. After the policy installs, the gateway presents the new certificate on the portal URL.

Legacy method: SmartDashboard (R77.x and older)

If you still run an older gateway managed by the standalone SmartDashboard client, the certificate is generated and installed entirely in the GUI. First, import the CA chain:

  1. Log in to SmartDashboard. On the Servers and OPSEC Applications tab, go to Servers > Trusted CAs, right-click and choose New CA > Trusted.
  2. On the General tab of the Certificate Authority Properties window, enter a Name and an optional Comment, then continue.
  3. On the OPSEC PKI tab, under Retrieve CRL from, leave only HTTP Server(s) checked.
  4. Under Certificate, next to Get the CA certificate from a file, click Get, browse to your root.crt file, and click OK.
  5. Repeat the previous steps for your intermediate.crt file. Then open Servers > Trusted CAs and confirm both CAs are listed.

Next, generate the CSR and install the certificate:

  1. Expand Network Objects, right-click your Check Point gateway/cluster, and choose Edit.
  2. In Gateway Cluster Properties, select VPN in the left pane and click Add.
  3. Enter a Certificate Nickname, and from the CA to enroll from drop-down select the intermediate CA you imported above. Click Generate, then Yes.
  4. In the DN box of the Generate Certificate Request window, type your details as one comma-separated string, for example CN=vpn.yourwebsite.com, OU=IT, O=Your Company Name, L=City, ST=State, C=Country, and click OK.
  5. Back under VPN, click View to see the CSR, then Save to File to export it. Submit that CSR to your CA.
  6. When the signed certificate arrives, edit the gateway again, select VPN, choose the same nickname, and click Complete. Browse to your server certificate, click Open, review the details, and click OK. Then install the policy.

Whichever method you use, plan ahead: Check Point’s older SmartDashboard client is unavailable on current versions, so if you are still on R77.x, treat an upgrade to a supported release as part of your certificate lifecycle.

Test your SSL installation

Even after a clean install, configuration gaps such as a missing intermediate or a weak protocol can linger. Run a quick diagnostic to be sure the gateway serves the full chain and a modern TLS configuration. The fastest check is to open the VPN/portal URL in a browser and inspect the padlock, but a dedicated scanner is more thorough.

Use our free SSL checker to generate an instant report on your certificate, chain, and supported protocols. If you have OpenSSL on your own machine, you can also query the gateway directly. Swap in your portal host and port (the Mobile Access portal usually listens on 443):

echo | openssl s_client -connect vpn.yourwebsite.com:443 -servername vpn.yourwebsite.com 2>/dev/null | openssl x509 -noout -issuer -subject -dates

If the certificate is live, this prints its issuer, subject, and validity dates. A complete chain and matching FQDN mean your installation is good to go.

Where to buy the best SSL certificate for Check Point VPN?

When buying an SSL certificate, weigh three things: validation type, price, and support. At SSL Dragon we offer the full range of SSL certificates at competitive prices, backed by five-star customer service. Our certificates are signed by renowned Certificate Authorities, so they are compatible with the majority of VPN appliances, including Check Point. Whether you need a budget Domain Validation certificate or a premium Extended Validation product, we have you covered.

SSL Dragon’s prices are among the most competitive on the market, and our dedicated support team is highly rated by existing customers.

Not sure which certificate to choose? Use our SSL Wizard tool to find the ideal product for your Check Point deployment.

Frequently Asked Questions

Do I use SmartConsole or SmartDashboard to install the certificate?

On all currently supported versions (R80, R81.10, R81.20, and R82), you use SmartConsole. The standalone SmartDashboard client only applies to legacy R77.x and older gateways. If you are unsure, check your version with cpinfo -y all on the management server, or read it from the SmartConsole login window.

Why does Check Point want the root and intermediate certificates up front?

Check Point validates the complete chain of trust for the portal certificate. If the intermediate (and, for older clients, the root) is missing, the gateway cannot link your server certificate back to a trusted root, and clients see certificate warnings. Bundling the chain into the .p12 file (or importing the CAs explicitly on legacy SmartDashboard) ensures the chain is complete.

What format does the certificate need to be in?

To import through SmartConsole, the certificate must be a .p12 (PKCS#12) file that contains the server certificate, its private key, and the full chain, or a PEM file with the server certificate first, followed by the intermediate(s) and root. The CA-supplied chain certificates themselves should be PEM (Base64) .crt files when you assemble the bundle.

How do I create the .p12 file from separate certificate and key files?

In Expert mode on the gateway, run cpopenssl pkcs12 -export -out yourwebsite.p12 -inkey yourwebsite.key -in yourwebsite.crt -certfile chain.crt, where chain.crt holds the intermediate and root certificates. OpenSSL prompts you to set an export password, which you then enter during the SmartConsole import.

Can I generate the CSR somewhere other than the gateway?

Yes. You can generate the CSR and private key with our CSR Generator or any OpenSSL installation, then build the .p12 from the issued certificate and that key. Just keep the private key secure and matched to the CSR; the certificate will only work with the exact key it was issued against.

The new certificate is not showing after install. What did I miss?

The most common cause is forgetting to Install Policy after the import; the gateway only serves the new certificate once the policy is pushed. Also confirm you imported the certificate on the correct blade page (Mobile Access vs Platform Portal) for the portal you are testing, and that the Common Name matches the URL you open.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been building and managing websites for over 20 years, with a heavy focus on the technical side of the cybersecurity, VPN, and SaaS industries. I know how sites are built from the ground up, which means I know how to secure them. Here at SSL Dragon, I write about web architecture, encryption, and keeping your infrastructure safe.