Client Certificates for Smartphones and Tablets

To allow your users to access their resources using their handheld devices, make sure they can authenticate to the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. with client certificates.

In many organizations, the daily task of assigning and maintaining client certificates is done by a different department than the one that maintains the Security Gateways. The computer help desk, for example. You can create an administrator that is allowed to use SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to create client certificates, while restricting other permissions (see Giving Permissions for Client Certificates).

To configure client certificates, open SmartConsole and go to Security Policies > Access Control > Access Tools > Client Certificates.

To configure the Mobile AccessClosed Check Point Software Blade on a Security Gateway that provides a Remote Access VPN access for managed and unmanaged clients. Acronym: MAB. policy, go to Manage & Settings > Blades > Mobile Access > Configure in SmartDashboard. The Client Certificates page in SmartConsole is a shortcut to the SmartDashboardClosed Legacy Check Point GUI client used to create and manage the security settings in versions R77.30 and lower. In versions R80.X and higher is still used to configure specific legacy settings. Mobile Access tab, Client Certificates page.

Managing Client Certificates

Check Point Mobile Apps for mobile devices can use certificate-only authentication or two-factor authentication with client certificates and username/password. The certificate is signed by the internal CA of the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. that manages the Mobile Access Security Gateway.

Manage client certificates in Security Policies > Access Control > Access Tools > Client Certificates..

The page has two panes.

  • In the Client Certificates pane:

    • Create, edit, and revoke client certificates.

    • See all certificates, their status, expiration date and enrollment key. By default, only the first 50 results show in the certificate list. Click Show more to see more results.

    • Search for specified certificates.

    • Send certificate information to users.

  • In the Email Templates for Certificate Distribution pane:

    • Create and edit email templates for client certificate distribution.

    • Preview email templates.

Creating Client Certificates

Note - If you use LDAP or AD, creation of client certificates does not change the LDAP or AD server. If you get an error message regarding LDAP/AD write access, ignore it and close the window to continue.

  1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.

  2. In the Client Certificates pane, click New.

    The Certificate Creation and Distribution wizard opens.

  3. In the Certificate Distribution page, select how to distribute the enrollment keys to users. You can select one or both options.

    1. Send an email containing the enrollment keys using the selected email template -Each user gets an email, based on the template you choose, that contains an enrollment key.

      • Template - Select the email template that is used.

      • Site - Select the Security Gateway, to which users connect.

      • Mail Server - Select the mail server that sends the emails.

      You can click Edit to view and change its details.

    2. Generate a file that contains all of the enrollment keys - Generate a file for your records that contains a list of all users and their enrollment keys.

  4. Optional: To change the expiration date of the enrollment key, edit the number of days in Users must enroll within x days.

  5. Optional: Add a comment that will show next to the certificate in the certificate list on the Client Certificates page.

  6. Click Next.

    The Users page opens.

  7. Click Add to add the users or groups that require certificates.

    • Type text in the search field to search for a user or group.

    • Select a type of group to narrow your search.

  8. When all included users or groups show in the list, click Generate to create the certificates and send the emails.

  9. If more than 10 certificates are being generated, click Yes to confirm that you want to continue.

    A progress window shows. If errors occur, an error report opens.

  10. Click Finish.

  11. Click Save.

  12. In SmartConsole, install the Policy.

Revoking Certificates

If the status of a certificate is Pending Enrollment, after you revoke it, the certificate does not show in the Client Certificate list.

  1. Select the certificate or certificates from the Client Certificate list.

  2. Click Revoke.

  3. Click OK.

After you revoke a certificate, it does not show in the Client Certificate list.

Creating Templates for Certificate Distribution

  1. In SmartConsole, select Security Policies > Access Control > Access Tools > Client Certificates.

  2. To create a new template: In the Email Templates for Certificate Distribution pane, select New.

    To edit a template: In the Email Templates for Certificate Distribution pane, double-click a template.

    The Email Template opens.

  3. Enter a Name for the template.

  4. Optional: Enter a Comment. Comments show in the Mail Template list on the Client Certificates page.

  5. Optional: Click Languages to change the language of the email.

  6. Enter a Subject for the email. Click Insert Field to add a predefined field, such as a Username.

  7. In the message body add and format text. Click Insert Field to add a predefined field, such as Username, Registration Key, or Expiration Date.

  8. Click inside the E-mail Template body.

  9. Click Insert Link and select the type of link to add (link or QR code).

    • For users who already have a Check Point app installed.

      When users scan the QR code or go to the link, it creates the site and registers the certificate.

      Select the client type that will connect to the site- Select one client type that users will have installed:

      • Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.

      • Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.

    • Direct users to download a Check Point App for their mobile devices.

      Select the client device operating system:

      • iOS

      • Android

      Select the client type that will connect to the site- Select one client type that users will have installed:

      • Capsule Workspace - An app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.

      • Capsule Connect/VPN - A full Layer 3 tunnel app that gives users network access to all mobile applications.

    • Lets you configure your own URL.

    • Link URL - Enter the full link address.

    • QR Code - When enabled, users scan the code with their mobile devices.

    • HTML Link - When enabled, users tap the link on their mobile devices.

      You can select both QR Code and HTML Link to include both in the email.

    • Display Text - Enter the text for the link title.

  10. Click OK.

  11. Optional: Click Preview in Browser to see a preview of how the email will look.

  12. Click OK.

  13. Publish the changes

Cloning a Template

Clone an email template to create a template that is similar to one that already exists.

  1. Select a template from the template list in the Client Certificates page.

  2. Click Clone.

  3. A new copy of the selected template opens for you to edit.

Giving Permissions for Client Certificates

You can create an administrator that is allowed to use SmartConsole to create client certificates, and restrict other permissions.

  1. Define an administrator (see Managing Administrator Accounts).

  2. Create a customized profile for the administrator, with permission to handle client certificates. Configure this in the Others page of the Administrator Profile. Restrict other permissions (seeAssigning Permission Profiles to Administrators).