Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2011-08-16 10:01:20.0

TN 8025 - How do I install my certificate on a Checkpoint VPN appliance?

Question: How do I install my certificate on a Checkpoint VPN appliance?

Answer:

Obtain latest Entrust root certificate from:

http://www.entrust.net/developer/index.cfm

The appropriate cross certificate is presented to you when you obtain your certificate.

Step 1: Add the Entrust root certificate to your Checkpoint firewall:

1 - Go to Manage - Servers and OPSEC Applications.

2 - Create a New Certificate Authority > Trusted (OPSEC PKI).

3 – Name it Entrust_2048root. On the OPSEC PKI screen, select HTTP Servers. Click Get and point to the Entrust 2048 root certificate file that you downloaded.

Step 2: Add the Entrust L1C cross certificate:

1 - Goto Manage - Servers and OPSEC Applications

2 - Create a New Certificate Authority -> Trusted (OPSEC PKI)

3 – Name it Entrust_intermediate. On OPSEC PKI screen, select HTTP Servers. Click Get and point to Entrust intermediate certificate file that you downloaded.

Step 3: Generate your CSR:

1 - Click Add to add a new certificate to the Certificate List using intermediate CA that was created.

2 - Click Generate to have the system create a Certificate Signing Request (CSR).

DN:CN=sslvpn.yourdomain.com,OU=ITDEPT,O=YOURCOMPANY,L=HOMETOWN,ST=YOURSTATE,C=US

3 - Enable the box Define Alternate Names and pick an FQDN and email from the drop-down list.

4 - Click Add [FQDN]. Enter your alias FQDN. Click Add [email] and enter your email address.

5 - Click View and copy the text to the clipboard or save it to a text file (including BEGIN, END and

dashes).

Once you have your CSR, you can submit it to Entrust to be signed. Entrust will then send you back your certificate.

Step 4: Install the certificate:

1 – Copy the certificate into Notepad and save it as entrust.cer.

2 – Go to the Checkpoint Gateway page > VPN.

3 – Under Certificate List click Complete.

4 – Select the entrust.cer file that you created and click OK.

Step 5: Select the Entrust certificate for use with SSL Extender

1- Edit the gateway/cluster object and select Remote Access > SSL Clients.

2- Select the new Entrust certificate created in the drop-down list under the The gateway authenticates with this certificate: section and click OK.

3- Push the policy to the gateway/cluster.

You have now installed an Entrust certificate on a Checkpoint VPN appliance.