Check Point VPN-1 NG
Usage of an OPSEC PKI as external Certificate Authority
Contents
Import a new OPSEC PKI Certificate Authority
Create a new Certifciate Authority by selecting the Servers and OPSEC Application tab,
open Servers and then Certificate Authority.
Specify proper name, description and type (here we are using XCA as PKI
tool, which is of type OPSEC PKI):
Import of the external Certificate Authority
Select a Certificate Authority file for input
Import the external Certificate Authority by selecting the proper file:
Note: using XCA as PKI tool, under tab Certificates select the CA, then Export -> File, Export Format: PEM
Disable also the retrieving of CRLs for now, except you have already
setup an LDAP or HTTP server which contain the CRL of choosen CA.
Verification of the choosen Certificate Authority file:
After successful verification (e.g. comparing DN and fingerprint), accept the import.
Advanced settings
There is currently no need to touch the default values in Advanced settings.
Result
As result you get a second Certificate Authority beneath the already existing internal_ca:
Use of an OPSEC PKI for IKE authentication
Create a certificate request of the Check Point VPN-1 object for later signing by the external PKI:
If you can't specify subject alternative name
later in the PKI tool, specify it in the request like (note that XCA at least version 0.4.5 don't care about
subject alternative name in requests, they will be overwritten or
removed on signing step):
Export the certificate request via copy & paste from the View:
Sign certificate request of module by exernal PKI tool
- Create an empty PEM file on floppy disk (here: PKIcert-checkpoint-request.pem)
- Open this file with notepad editor, select Format -> Word Wrap
- Paste the certificate request into
- Important: rewrite the non existent line breaks on all lines
- Deselect Format -> Word Wrap, if view is no longer equal, you have step 4 not done completly
- Save and close file
- Transfer request to the PKI tool
- Import the request in the PKI tool
- Sign the request
- Attention: because of the Check Point VPN-1 currenty still sending on IKE authentication its ID_IPV4_ADDR,
which is not contained by the certificate of the internal_ca, you have to add this on the certificate signed by the external CA.
- Using XCA: specify on subject alternative name: IP:1.2.3.4
- Save signed certificate to floppy disk
Import signed certificate
Verify the certificate:
Accept the certificate.
The firewall object now has 2 certificates installed:
Force use of this certificate by selecting the CA on a locally managed gateway
Configure matching criteria for externally managed gateway or interoperable device
Select OPSEC PKI, additionally, you can extend the matching criteria by DN, IPv4 address and e-mail
(specified in subject alternative names)
contained by the externally managed gateway or interoperable device certificate.
No warranty at all, your Feedback is welcome!
© 2003-2010 AERAsec Network Services and Security GmbH, last update 2003-10-30 (PB)
back to http://www.vpn-1.de/aerasec/
