Operations with Certificates

Management of SIC Certificates

SICClosed Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificates are managed using SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

Management of Security Gateway VPN Certificates

VPN certificates are managed in the VPN page of the corresponding network object. These certificates are issued automatically when the IPSec VPNClosed Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade is defined for the Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or host. This definition is specified in the General Properties window of the corresponding network object.

If a VPN certificate is revoked, a new one is issued automatically.

Management of User Certificates in SmartConsole

The user certificates of users that are managed on the internal database are managed in SmartConsole.

For more information, see User Certificates in the R81.10 Remote Access VPN Administration Guide.

Notifying Users about Certificate Initialization

The ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. Management Tool can be configured to send a notification to users about certificate initialization.

To send mail notifications:

  1. In the Menu pane, click Configure the CA.

  2. In the Management Tool Mail Attributes area, configure:

    • The mail server

    • The mail "From" address

    • An optional "To" address, which can be used if the users' address is not know

      The administrator can use this address to get the certificates on the user's behalf and forward them later.

  3. Click Apply.

Retrieving the ICA Certificate Files

See cpca_client set_ca_services.

Searching for a Certificate

There are two search options:

  • A basic search that includes only the user name, type, status and the serial number

  • An advanced search that includes all the search fields (can only be performed by administrators with unlimited privileges)

To do a certificate search:

In the Manage Certificates page, enter the search parameters, and click Search.

Basic Search Parameters

  • User Name - Username string (by default, this field is empty)

  • Type - Drop-down list with these options:

    • Any (default)

    • SIC

    • Gateway

    • Internal User or LDAP user

  • Status - Drop-down list with these options:

    • Any (default)

    • Pending

    • Valid

    • Revoked

    • Expired

    • Renewed (superseded)

  • Serial Number - Serial number of the requested certificate (by default, this field is empty)

Advanced Search Attributes

In addition to the parameters of the basic search, specify these parameters:

  • Sub DN - DN substring (by default, this field is empty)

  • Valid From - Date, from which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss] (for example 15-Jan-2003) (by default, this field is empty)

  • Valid To - Date until which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss] (for example 14-Jan-2003 15:39:26) (by default, this field is empty)

  • CRL Distribution Point - Drop-down list with these options:

    • Any (default)

    • No CRL Distribution Point (for certificates issued before the management upgrade - old CRL mode certificates)

    The list also shows all available CRL numbers.

The Search Results

The results of a search show in the Search Results pane. This pane consists of a table with a list of searched certificate attributes such as:

  • (SN) Serial Number - The SN of the certificate

  • User Name (CN) - The string between the first equals sign ("=") and the next comma (",")

  • DN

  • Status - One of these: Pending, Valid, Revoked, Expired, Renewed (superseded)

  • The date, from which certificates are valid until the date they expire

Note - The status bar shows search statistics after each search.

Viewing and Saving Certificate Details

You can view or save the certificate details that show in the search results.

To view and save certificate details

Click on the DN link in the Search Results pane.

  • If the status is pending, the certificate information together with the registration key shows, and a log entry is created and shows in SmartConsole > Logs & Monitor > Logs.

  • If the certificate was already created, you can save it on a disk or open directly (if the operating system recognizes the file extension)

Removing and Revoking Certificates and Sending Email Notifications

  1. In the Menu pane, click Manage Certificates.

  2. Search for a Certificate with set attributes (see Searching for a Certificate).

    The results show in the Search Results pane.

  3. Select the certificates, as needed, and click one of these options:

    • Revoke Selected - revokes the selected certificates and removes pending certificates from the CA's database

    • Remove Selected - removes the selected certificates from the CA's database and from the CR

      Note - You can only remove expired or pending certificates.

    • Mail to Selected - sends mail for all selected pending certificate

      The mail includes the authorization codes. Messages to users that do not have an email defined are sent to a default address. For more information, see Notifying Users about Certificate Initialization.

Submitting a Certificate Request to the CA

There are three ways to submit certificate requests to the CA:

  • Initiate - A registration key is created on the CA and used once by a user to create a certificate

  • Generate - A certificate file is created and associated with a password which must be entered when the certificate is accessed

  • PKCS#10 - When the CA receives a PKCS#10 request, the certificate is created and delivered to the requester

  1. In the Menu pane, select Create Certificates > Initiate.

  2. Enter a User Name or Full DN, or click Advanced and fill in the form:

    • Certificate Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)

    • Registration Key Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)

  3. Click Go.

    A registration key is created and show in the Results pane.

    If necessary, click Send mail to user to email the registration key. The number of characters in the email is limited to 1900.

  4. The certificate becomes usable after entering the correct registration key.

  1. In the Menu pane, select Create Certificates > Generate.

  2. Enter a User Name or Full DN, or click Advanced and fill in the form:

    • Certificate Expiration Date - Select a date or enter the date in the format dd-mm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)

    • Registration Key Expiration Date - Select a date or enter the date in the format dd-mm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)

  3. Enter a password.

  4. Click Go.

  5. Save the P12 file, and supply it to the user.

  1. In the Menu pane, select Create Certificates > PKCS#10.

  2. Paste into the space the encrypted base-64 buffer text provided.

    You can also click on Browse for a file to insert (IE only) to import the request file.

  3. Click Create and save the created certificate.

  4. Supply the certificate to the requester.

Initializing Multiple Certificates Simultaneously

You can initialize a batch of certificates at the same time.

  1. Create a file with the list of DNs to initialize.

    Note - There are two ways to create this file - through an LDAP query or a non-LDAP query.

  2. In the Menu pain, go to Create Certificates > Advanced.

  3. Browse to the file you created.

    • To send registration keys to the users, select Send registration keys via email

    • To receive a file that lists the initialized DNs with their registration keys, select Save results to file

      This file can later be used in a script.

  4. Click Initiate from file.

The file initiated by the LDAP search has this format:

  • Each line after a blank line or the first line in the file represents one DN to be initialized

  • If the line starts with "mail=", the string continues with the mail of the use

    If no email is given, the email address will be taken from the ICA's "Management Tool Mail To Address" attribute.

  • If there is a line with the not_after attribute, then the value at the next line is the Certificate Expiration Date.

    The date is given in seconds from now.

  • If there is a line with the is otp_validity attribute, then the value at the next line is the Registration Key Expiration Date.

    The date is given in seconds from now.

Here is an example of an LDAP Search output:

not_after
86400
otp_validity
3600
uid=user_1,ou=People,o=intranet,dc=company,dc=com
mail=user_1@company.com
<blank_line>
...
uid=...

For more information, see .

It is possible to create a simple (non-LDAP) query by configuring the DN + email in a file using this format:

<email address 1> space <DN 1>

... blank line as a separator ...

<email address 2> space <DN 2>