Monday, November 20, 2017

Generate a CSR on Checkpoint FWM


Next steps
Generate a new CSR with a subject alternate name of the IP Address (or hostname or wildcard) that is defined in User Check. We recommend to sign the webserver certificate with the same Microsoft root CA we used to sign the HTTPS inspection cert. Because now both certs are signed be the same root CA and the root CA has already been imported into the certificate store BCBSMA will not have to push out another certificate.

To complete this following the following steps:
1.       Backup and edit the file $CPDIR/conf/openssl.cnf on the machine.
cp $CPDIR/conf/openssl.cnf $CPDIR/conf/openssl.cnf.orig

2.       In the [ req ] section, uncomment the line:
Change: #req_extensions = v3_req
To: req_extensions = v3_req

3.       In the [ v3_req ] section, add the following line:
subjectAltName=DNS:<FQDN>,DNS:*.<FQDN>
Example: subjectAltName=DNS:sslvpn.example.com,DNS:*.sslvpn.example.com

Save the file, run csr_gen and create the CSR. When asked for CommonName (CN), enter "*.sslvpn.example.com".

[Expert@GW]# cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnf
Notes:
                                 i.            This command generates a private key.
                               ii.            Enter a password and confirm.
                              iii.            Fill in the required data:
                       o     The Common Name field is mandatory. This field must have the Fully Qualified Domain Name (FQDN). This is the site that users access. For example: portal.example.com.
                       o     All other fields are optional.
To verify that the CSR was generated properly, run: cpopenssl req -in requestFile.csr -text

4.       After generating the CSR, use the backup to restore the openssl.cnf file to its previous state.
cp $CPDIR/conf/openssl.cnf. orig $CPDIR/conf/openssl.cnf

5.       Submit the CSR file to your 3rd-party CA vendor in order to receive the signed server certificate.
Note: There is not a standard submission procedure. Some CAs have a Web form for submitting the CSR file. Others have a Web form with individual certificate fields. Those cannot be used with the above procedure since our gateway generates a CSR file. Some CAs receive the CSR file by email.

6.       Open Security Gateway properties. 
Go to UserCheck
In the Certificate section, click on "Import" button, or "Replace" button - import the new certificate. 
Click on 'OK' to save the changes. 

Install the policy on the Security Gateway.
Posted by at