Operations with Certificates
Management of SIC Certificates
SIC Secure Internal Communication. The Check Point proprietary mechanism with which Check Point computers that run Check Point software authenticate each other over SSL, for secure communication. This authentication is based on the certificates issued by the ICA on a Check Point Management Server. certificates are managed using SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..
Management of Security Gateway VPN Certificates
VPN certificates are managed in the VPN page of the corresponding network object. These certificates are issued automatically when the IPSec VPN Check Point Software Blade on a Security Gateway that provides a Site to Site VPN and Remote Access VPN access. blade is defined for the Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or host. This definition is specified in the General Properties window of the corresponding network object.
If a VPN certificate is revoked, a new one is issued automatically.
Management of User Certificates in SmartConsole
The user certificates of users that are managed on the internal database are managed in SmartConsole.
For more information, see User Certificates in the R81 Remote Access VPN Administration Guide.
Notifying Users about Certificate Initialization
The ICA Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. Management Tool can be configured to send a notification to users about certificate initialization.
To send mail notifications:
-
In the Configure the CA.
pane, click -
In the Management Tool Mail Attributes area, configure:
-
The mail server
-
The mail "
From
" address -
An optional "
To
" address, which can be used if the users' address is not knowThe administrator can use this address to get the certificates on the user's behalf and forward them later.
-
-
Click Apply.
Retrieving the ICA Certificate Files
For trust purposes, some Security Gateways and Remote Access clients, such as peer gateways that are not managed by the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or clients using Clientless VPN, must retrieve the ICA certificate.
To retrieve the ICA Certificate
-
Open a browser and enter the applicable URL.
Use this format:
http://<IP address of Management Server>:18264
The Certificate Services window opens.
-
Use the links to download the CA certificate to your computer or (in Windows) install the CA certification path.
Searching for a Certificate
There are two search options:
-
A basic search that includes only the user name, type, status and the serial number
-
An advanced search that includes all the search fields (can only be performed by administrators with unlimited privileges)
To do a certificate search:
In the Manage Certificates page, enter the search parameters, and click Search.
Basic Search Parameters
-
User Name - Username string (by default, this field is empty)
-
Type - Drop-down list with these options:
-
Any (default)
-
SIC
-
Gateway
-
Internal User or LDAP user
-
-
Status - Drop-down list with these options:
-
Any (default)
-
Pending
-
Valid
-
Revoked
-
Expired
-
Renewed (superseded)
-
-
Serial Number - Serial number of the requested certificate (by default, this field is empty)
Advanced Search Attributes
In addition to the parameters of the basic search, specify these parameters:
-
Sub DN - DN substring (by default, this field is empty)
-
Valid From - Date, from which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss] (for example 15-Jan-2003) (by default, this field is empty)
-
Valid To - Date until which the certificate is valid, in the format dd-mmm-yyyy [hh:mm:ss] (for example 14-Jan-2003 15:39:26) (by default, this field is empty)
-
CRL Distribution Point - Drop-down list with these options:
-
Any (default)
-
No CRL Distribution Point (for certificates issued before the management upgrade - old CRL mode certificates)
The list also shows all available CRL numbers.
-
The Search Results
The results of a search show in the Search Results pane. This pane consists of a table with a list of searched certificate attributes such as:
-
(SN) Serial Number - The SN of the certificate
-
User Name (CN) - The string between the first equals sign ("=") and the next comma (",")
-
DN
-
Status - One of these: Pending, Valid, Revoked, Expired, Renewed (superseded)
-
The date, from which certificates are valid until the date they expire
|
Note - The status bar shows search statistics after each search. |
Viewing and Saving Certificate Details
You can view or save the certificate details that show in the search results.
To view and save certificate details
Click on the DN link in the Search Results pane.
-
If the status is pending, the certificate information together with the registration key shows, and a log entry is created and shows in SmartConsole > Logs & Monitor > Logs.
-
If the certificate was already created, you can save it on a disk or open directly (if the operating system recognizes the file extension)
Removing and Revoking Certificates and Sending Email Notifications
-
In the Manage Certificates.
pane, click -
Search for a Certificate with set attributes (see Searching for a Certificate).
The results show in the Search Results pane.
-
Select the certificates, as needed, and click one of these options:
-
Revoke Selected - revokes the selected certificates and removes pending certificates from the CA's database
-
Remove Selected - removes the selected certificates from the CA's database and from the CR
Note - You can only remove expired or pending certificates.
-
Mail to Selected - sends mail for all selected pending certificate
The mail includes the authorization codes. Messages to users that do not have an email defined are sent to a default address. For more information, see Notifying Users about Certificate Initialization.
-
Submitting a Certificate Request to the CA
There are three ways to submit certificate requests to the CA:
-
Initiate - A registration key is created on the CA and used once by a user to create a certificate
-
Generate - A certificate file is created and associated with a password which must be entered when the certificate is accessed
-
PKCS#10 - When the CA receives a PKCS#10 request, the certificate is created and delivered to the requester
-
In the Create Certificates > Initiate.
pane, select -
Enter a User Name or Full DN, or click Advanced and fill in the form:
-
Certificate Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two years from the date of creation)
-
Registration Key Expiration Date - Select a date or enter the date in the format dd-mmm-yyyy [hh:mm:ss] (the default value is two weeks from the date of creation)
-
-
Click Go.
A registration key is created and show in the Results pane.
If necessary, click Send mail to user to email the registration key. The number of characters in the email is limited to 1900.
-
The certificate becomes usable after entering the correct registration key.
-
In the Create Certificates > Generate.
pane, select -
Enter a User Name or Full DN, or click Advanced and fill in the form:
-
Certificate Expiration Date - Select a date or enter the date in the format
dd-mm-yyyy [hh:mm:ss]
(the default value is two years from the date of creation) -
Registration Key Expiration Date - Select a date or enter the date in the format
dd-mm-yyyy [hh:mm:ss]
(the default value is two weeks from the date of creation)
-
-
Enter a password.
-
Click Go.
-
Save the P12 file, and supply it to the user.
-
In the Create Certificates > PKCS#10.
pane, select -
Paste into the space the encrypted base-64 buffer text provided.
You can also click on Browse for a file to insert (IE only) to import the request file.
-
Click Create and save the created certificate.
-
Supply the certificate to the requester.
Initializing Multiple Certificates Simultaneously
You can initialize a batch of certificates at the same time.
-
Create a file with the list of DNs to initialize.
Note - There are two ways to create this file - through an LDAP query or a non-LDAP query.
-
In the Create Certificates > Advanced.
pain, go to -
Browse to the file you created.
-
To send registration keys to the users, select Send registration keys via email
-
To receive a file that lists the initialized DNs with their registration keys, select Save results to file
This file can later be used in a script.
-
-
Click Initiate from file.
The file initiated by the LDAP search has this format:
-
Each line after a blank line or the first line in the file represents one DN to be initialized
-
If the line starts with "
mail=
", the string continues with the mail of the useIf no email is given, the email address will be taken from the ICA's "Management Tool Mail To Address" attribute.
-
If there is a line with the
not_after
attribute, then the value at the next line is the Certificate Expiration Date.The date is given in seconds from now.
-
If there is a line with the is
otp_validity
attribute, then the value at the next line is the Registration Key Expiration Date.The date is given in seconds from now.
Here is an example of an LDAP Search output:
|
For more information, see .
It is possible to create a simple (non-LDAP) query by configuring the DN + email in a file using this format:
|