Support Center > Search Results > SecureKnowledge Details
How to generate and install a third-party IPSec Certificate Technical Level
Solution

Generate and install a third-party IPSec Certificate

  1. Check with your Certificate Authority and get the CA (root) certificate, as well as the intermediate certificate. For example: If the third-party Trusted Certificate is from Entrust get the Root and Intermediate Certificates first. 

  2. As you can see, the Root is Entrust.net and the Intermediate is Entrust Certificate Authority – L1K. Accordingly, we will install the Root Certificate as a Trusted CA and the Intermediate Certificate as a Subordinate CA.

  3. Go to SmartDashboard. Click on *New and then click on More.  Find the Server option, click on More, and choose Trusted CA.

  4. After you choose Trusted CA, a dialog box appears.

  5.  Name the Trusted CA (for example: Root CA or GodaddyCA).

  6. Select the OPSEC PKI option and click on GET.

  7. A Windows dialog box appears. Choose the desired Root CA certificate.

  8. After you choose the certificate, you are prompted to accept the certificate, as below:

  9. Install the Intermediate Certificate as a Subordinate CA.

  10. Go to SmartDashboard. Click on *New. Then click on More and find the Server option. Click on More and choose Subordinate CA.

  11. After you choose Subordinate CA, a Dialog Box appears. (Follow the same steps as for the Root CA.)

  12. Name the Subordinate CA (for example: Intermediate CA or Godaddy-inter ca).


  13. Accept the prompt, select the certificate from step 13:

  14. Both the Intermediate and Root CA certificates are available under the Server's section of the object tree:

    Go to SmartDashboard > Object Tree' and click on Servers

  15. Now you have successfully installed the certificate. You can generate the CSR, as shown below:

    Under 'SmartDashboard > click on a Particular Gateway object > click on IPSec VPN'. Then, click on ADD and choose the Relevant Certificate through which you would like to generate the CSR.

  16. If this is a new Certificate request, the general format for the DN is as follows:

    CN=domain.com

    OU=Group name (example: IT Operations) 

    O=Company Name (example: Check Point) or (example: Check Point\, Ltd)

    L=Location/City information

    ST=State (DO NOT USE "s=")

    C=Country (example: US)

    (Example: “CN=abc.com,OU=IT Operations, O=Company Name, L=City, ST=State, C=US”)

  17. After you generate the CSR, you will find the certificate under the IPSec repository.

  18. After you generate the CSR, you can export it, and make sure that it is signed by the same (Root) CA and intermediate CA (also known as Direct CA), and then install it. Otherwise, it displays an error. For more information, refer to sk60223: How to fix "The direct CA certificate in the received chain doesn't match the CA certificate for which you created the certificate request"

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment