Support Center > Search Results > SecureKnowledge Details
Certificate authentication for Remote Access works only with an external CA on Quantum Spark / SMB locally managed appliances Technical Level
  • Cannot connect with the Check Point Endpoint Security VPN client using certificate from Public-Key Cryptographic Standard file (PKCS#12 or PFX) as an authentication method if the appliance's internal CA was used for generating/signing such request.

This is an expected behavior.

Locally managed Quantum Spark / SMB appliances do not support internal certificate administration. Refer to sk110533.

The appliance should be running R80.20.X (Quantum Spark) or R77.20.75 B2270 or higher (SMB)

To use an external CA:

  1. In the appliance WebUI, go to VPN > Trusted CAs.
  2. Import the external root CA [or the sub CA that generated/signed the '.p12' or '.pfx' file] to the firewall's trusted CAs.
  3. In the VPN endpoint client side, select the authentication method as 'Certificate - P12' or 'Certificate - CAPI' and use the '.p12' or '.pfx' file generated/signed by the external CA that you imported.


  • No Active Directory (AD) servers should be configured on the appliance.
  • Remote access permissions for RADIUS users should be disabled on the 'Authentication Server' page.
    This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

    Give us Feedback
    Please rate this document