How to install a Certificate Signing Request for Check Point Firewall?

Obtaining a Certificate from a 3rd-party Certificate Authority

After you define the third party Certificate Authorities and they are trusted by the gateway/cluster object you can request and obtain a certificate from them. Requesting a certificate is a multi-step process. You need to issue a Certificate Signing Request (CSR), submit it to a trusted third party CA for signing, and then import the signed certificate back into the firewall.

1. Select the Network Objects tab and edit the Check Point gateway/cluster object.

2. Select VPN and click Add to add a certificate to the Repository of Certificates available to the Gateway.

3. Enter a name in the Certificate Nickname field (this is for your reference) and select what Certificate Authority will sign your CRS. You select the third party CA that you installed above.

Note: If this is for Symantec, use the INTERMEDIATE CA and not the ROOT CA.

4. Click Generate to start the process of creating a CSR.

5. Click Yes in the warning that appears. If you make a mistake, delete the CSR request and start over.

6. In the Generate Certificate Request window, enter DN information. Refer to previous SSL Certificate information for this data. Do not select "Define Alternate Names".

If this is a new SSL Certificate request, the general format for DN is as follows:

CN=sitename.domain.com (if gateway name, it has to match exactly!) OR *.domain.com for a Wildcard certificate

OU=Group name (ex. IT Operations)

O=Company Name

L=Location/City information

ST=State (DO NOT USE "s=")

C=Country (ex. US)

These values are separated by a comma. Not all of these values are needed, you need just the cn=Sitename or gateway name as a minimum.

(Example: CN=sitename.domain.com,OU=IT Operations, O=Company Name, L=City, ST=State, C=US)

Note 1: Check Point does not support the standard E= or S= attribute. If needed, use ST= instead of S= or E=.

Note 2 : If an extra "," is needed in the name, use "\" to skip the comma. Example: O=Company Name\, Inc. 

7. Click OK to generate a CSR.

8. Click OK in the created successfully message. Now you have an entry for a certificate and you need to submit the CSR to the third party.

9. To sign the request, click View. The Certificate Request View appears.


10. Click Save to a File… This lets you save this to a text file that you can then send to your third party.

Alternatively:

Click Copy to Clipboard and paste this on the third party web site that requests the signing certificate.


11. When you get the file back from the third party, save the file, and then go back to the Gateway properties window > VPN > select the certificate, and click Complete.

12. Select the signed CSR and click Open.

13. Review the details of the certificate.

14. Now the certificate is installed. When you click OK and install the policy, the SSL certificate will be installed on the gateway.

Note: If you need to install an SSL Certificate on a Connectra gateway, please refer to the Connectra Administration Guide (http://supportcontent.checkpoint.com/documentation_download?ID=8393) for instructions, as the GUI does not support Connectra Gateway SSL Certificates.