Client Certificates for Smartphones and Tablets

In This Section: Managing Client Certificates Creating Client Certificates Revoking Certificates Creating Templates for Certificate Distribution Cloning a Template Giving Permissions for Client Certificates

To allow your users to access their resources using their handheld devices, make sure they can authenticate to the Gateway with client certificates.

In many organizations, the daily task of assigning and maintaining client certificates is done by a different department than the one that maintains the Security Gateways. The computer help desk, for example. You can create an administrator that is allowed to use SmartConsole to create client certificates, while restricting other permissions.

To configure client certificates, open SmartConsole and go to Security Policies > Access Control > Access Tools > Client Certificates.

To configure the Mobile Access policy, go to Manage & Settings > Blades > Mobile Access > Configure in SmartDashboard. The Client Certificates page in SmartConsole is a shortcut to the SmartDashboard Mobile Access tab, Client Certificates page.

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management Server that manages the Mobile Access Security Gateway.

Manage client certificates in Security Policies > Access Control > Access Tools > Client Certificates..

The page has two panes.

• In the Client Certificates pane:
  • Create, edit, and revoke client certificates.
  • See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.
  • Search for specified certificates.
  • Send certificate information to users.
• In the Email Templates for Certificate Distribution pane:
  • Create and edit email templates for client certificate distribution.
  • Preview email templates.

Creating Client Certificates

Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.

To create and distribute certificates with the client certificate wizard:

1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.
2. In the Client Certificates pane, click New.

   The Certificate Creation and Distribution wizard opens.

3. In the Certificate Distribution page, select how to distribute the enrollment keys to users. You can select one or both options.
   1. Send an email containing the enrollment keys using the selected email template - Each user gets an email, based on the template you choose, that contains an enrollment key.
      • Template - Select the email template that is used.
      • Site - Select the gateway that users connect to.
      • Mail Server - Select the mail server that sends the emails.

      You can click Edit to view and change its details.

   2. Generate a file that contains all of the enrollment keys - Generate a file for your records that contains a list of all users and their enrollment keys.
4. Optional: To change the expiration date of the enrollment key, edit the number of days in Users must enroll within x days.
5. Optional: Add a comment that will show next to the certificate in the certificate list on the Client Certificates page.
6. Click Next.

   The Users page opens.

7. Click Add to add the users or groups that require certificates.
   • Type text in the search field to search for a user or group.
   • Select a type of group to narrow your search.
8. When all included users or groups show in the list, click Generate to create the certificates and send the emails.
9. If more than 10 certificates are being generated, click Yes to confirm that you want to continue.

   A progress window shows. If errors occur, an error report opens.

10. Click Finish.
11. Click Save.
12. From SmartConsole, install the Policy.

Revoking Certificates

If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.

To revoke one or more certificates:

1. Select the certificate or certificates from the Client Certificate list.
2. Click Revoke.
3. Click OK.

After you revoke a certificate, it does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

To create or edit an email template:

1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.
2. To create a new template: In the Email Templates for Certificate Distribution pane, select New.

   To edit a template: In the Email Templates for Certificate Distribution pane, double-click a template.

   The Email Template opens.

3. Enter a Name for the template.
4. Optional: Enter a Comment. Comments show in the Mail Template list on the Client Certificates page.
5. Optional: Click Languages to change the language of the email.
6. Enter a Subject for the email. Click Insert Field to add a predefined field, such as a Username.
7. In the message body add and format text. Click Insert Field to add a predefined field, such as Username, Registration Key, or Expiration Date.
8. Click Insert Link to add a link or QR code and select the type of link to add.

   For each link type, you select which elements will be added to the mail template:

   • QR Code - Users scan the code with their mobile devices.
   • HTML Link - Users tap the link on their mobile devices.

     You can select both QR Code and HTML link to include both in the email.

     The text in Display Text is the text that shows on the link.

   a. Certificate and Site Creation - For users who already have a Check Point app installed. When users scan the CR code or go to the link, it creates the site and registers the certificate.

   • Select the client type that will connect to the site- Select one client type that users will have installed.
     • Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
     • Capsule Connect/VPN - A full L3 tunnel app that gives users network access to all mobile applications.

   b. Download Application - Direct users to download a Check Point App for their mobile devices.

   • Select the client device operating system:
     • iOS
     • Android
   • Select the client type to download:
     • Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.
     • Capsule Connect/VPN - A full L3 tunnel app that gives users network access to all mobile applications.
   • Select which elements will be added to the mail template:
     • QR Code - Users scan the code with their mobile devices
     • HTML Link - Users tap the link on their mobile devices.
     • Display Text - Enter the text to show on the HTML link.
9. Click OK.
10. Optional: Click Preview in Browser to see a preview of how the email will look.
11. Click OK.
12. Publish the changes

Cloning a Template

Clone an email template to create a template that is similar to one that already exists.

To create a clone of an email template:

1. Select a template from the template list in the Client Certificates page.
2. Click Clone.
3. A new copy of the selected template opens for you to edit.

Giving Permissions for Client Certificates

You can create an administrator that is allowed to use SmartConsole to create client certificates, and restrict other permissions.

To make an administrator for client certificates:

1. Define an administrator.
2. Create a customized profile for the administrator, with permission to handle client certificates. Configure this in the Others page of the Administrator Profile. Restrict other permissions.