SSL Settings

The default, pre-installed, LOM certificate is privately signed. As a result, the browser does not trust it.

After initial login, you can replace the SSL certificate with one of these certificates:

• Self-signed SSL certificates created in the LOM WebUI - Must be set as trusted in the client web browser

• Self-signed SSL certificates created on the CLI (Gaia or Linux) - Must be set as trusted in the client web browser

• SSL certificates signed by the Internal Internal Certificate Authority on a Check Point Management Server

Generating a Self-Signed SSL Certificate in the LOM WebUI

Important - After you create the certificate, you must upload the certificate manually (see Uploading an SSL Certificate to LOM).

To generate a new self-signed SSL certificate in the LOM WebUI:

1. Select Configuration > SSL.

   The SSL Certificate Configuration window opens.

2. Click Generate SSL.

3. Enter the information for the certificate and the key:

   Note - Use only alphanumeric characters, hyphens, underscores, and periods. Do not use spaces. For Email Address field use any characters.

   • Common Name (CN) - The exact name being certified (usually the Web server's domain name)

   • Organization (O) - Name of the organization

   • Organization Unit (OU) - Name of the section in the organization

   • City or Locality (L) - City or location of the organization (required)

   • State or Province (ST) - State or province of the organization (required)

   • Country (C) - Country code of the organization (required)

   • Email Address - Email address for the organization (required)

   • Valid For - Number of days until the certificate expires

   • Key Length - Number of bits in the private key is 1024 or 2048 bits

4. Click Generate.

To view the information on an existing SSL certificate:

1. Select Configuration > SSL.

   The SSL Certificate Configuration window opens.

2. Click View SSL.

Generating a Self-Signed SSL Certificate in CLI

You can create an SSL certificate and a private key in the Command Line on an Gaia appliance, or on a Linux-based server.

Important - After you create the certificate, you must upload the certificate manually (see Uploading an SSL Certificate to LOM).

To create an SSL certificate and a private key on a Gaia server:

1. Connect to the command line on the Gaia server.

2. Log in to the Expert mode.

3. Create a certificate:

   cpopenssl req -config $CPDIR/conf/openssl.cnf -nodes [-days <num_days>] -x509 -newkey rsa:<size_bits> -keyout <key_file> -out <output_file>

   Parameter	Description
   -nodes	Do not encrypt the output key.
   -days <num_days>	This is optional parameter. Number of days a certificate generated by X.509 is valid for. The default is 30, the maximum is 3650, and 365 is the recommended value. Note - If you do not enter the "-days" parameter at all, the certificate will be valid for 30 days.
   -x509	Create an X.509 structure instead of a certificate request..
   -newkey rsa:<size_bits>	Generate a new RSA key of "size_bits" in size. Valid values are 512, 1024, 2048, and 4096. Best Practice - We recommend to use 1024 or greater.
   -keyout <key_file>	Save the key in a specified *.pem file. Note - LOM accepts only the *.pem key file format.
   -out <output_file>	Save the certificate in a specified *.pem file. Note - LOM accepts only the *.pem key file format.

   Example:

   cpopenssl req -config $CPDIR/conf/openssl.cnf -nodes -days 365 -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem

   When the command is executed, you will be asked to enter these parameters:

   • Country Name - 2-letter code (for example: US)

   • State or Province Name - full name (for example: New York)

   • Locality Name - city (for example: Buffalo)

   • Organization Name - company name (for example: My Company)

   • Organizational Unit Name - section or department (for example: R&D)

   • Common Name - system identifier (for example: Check Point 13500 LOM or MAC address)

   • Email Address - full email address (for example: john@example.com)

   Some fields have default values. If you leave them blank, the default value will be used.

4. Copy the output file from the appliance to your computer.

To create an SSL certificate and a private key on a Linux-based server:

1. Connect to the command line on the appliance.

2. Create a certificate:

   openssl req -nodes -days <num_days> -x509 -newkey rsa:<size_bits> -keyout <key_file> -out cert.pem

   The command parameters are identical to the parameters for the "cpopenssl" command above.

3. Copy the output file from the server to your computer.

Generating am SSL Certificate Signed by the ICA on a Management Server

Important - After you create the certificate, you must upload the certificate manually (see Uploading an SSL Certificate to LOM).

To create an SSL certificate that is signed by the Internal Certificate Authority on a Check Point Management Server:

1. Connect to the command line on the Management Server.

2. Log in to the Expert mode.

3. Run:

   cpca_client create_cert -n "CN=<Common_Name>" -f /var/log/cert.p12 -w "" -k USER

   where "<Common_Name>" is a system identifier. For example, the MAC Address of the appliance or of the LOM Card.

   Example:

   cpca_client create_cert -n "CN=11:22:33:44:55:66" -f /var/log/cert.p12 -w "" -k USER

4. Run:

   cpopenssl pkcs12 -in /var/log/cert.p12 -nokeys -clcerts -passin pass: -out /var/log/cert.pem

5. Run:

   cpopenssl pkcs12 -in /var/log/cert.p12 -nodes -nocerts -passin pass: -out /var/log/key.pem