Support Center > Search Results > SecureKnowledge Details
RSA Key Lengths in Check Point Products Technical Level
Symptoms
  • Scanners of HTTPS Web Servers detect SSL Certificate Chain that contains RSA Keys shorter than 2048 bits.
  • According to NIST Special Publication 800-131A , RSA certificates should use keys no shorter than 2048 bits (starting January 1st, 2014).
  • Getting the message "ssl certificate public key length too small" in scan report
Solution

This article outlines the lengths of RSA keys used in various Check Point products and instructs how to modify the default key length.

Note: The default key length size of keys generated by the internal CA of R80.10 is 2048-bit and can be seen in the ICA portal, under "Configure the CA" section.

Product Default
RSA Key length
Modifying the RSA Key length

SecurePlatform WebUI

R75.4X:
1024-bit

R77 and above:
2048-bit

Show / Hide instructions for creating certificates with 2048-bit RSA keys on R76 (and lower) Security Gateway

Starting in R77, the $WEBISDIR/bin/new_p12_cert utility on the Security Gateway was improved and it is able to create certificates with 2048-bit RSA keys.

Administrator can transfer this utility from R77 Security Gateway to older version Security Gateways and use it to create certificates with 2048-bit RSA keys.

  1. Export the $WEBISDIR/bin/new_p12_cert file from an R77 Security Gateway (you can perform a clean install even in VMWare).

  2. Transfer the new_p12_cert file to an older version Security Gateway (into some directory, e.g., /some_path_to_R77_tool/).

  3. Close all SecurePlatform WebUI sessions with older version Security Gateway.

  4. Connect to command line on older version Security Gateway (over SSH, or console).

  5. Login to Expert mode.

  6. Backup the current (default) '$WEBISDIR/bin/new_p12_cert' tool:

    [Expert@HostName]# mv -v $WEBISDIR/bin/new_p12_cert $WEBISDIR/bin/new_p12_cert_ORIGINAL

  7. Copy the R77 'new_p12_cert' tool to '$WEBISDIR/bin/' directory:

    [Expert@HostName]# cp -v /some_path_to_R77_tool/new_p12_cert $WEBISDIR/bin/

  8. Locate the current certificate files 'servcert*.p12':

    [Expert@HostName]# find / -name servcert\*.p12 -type f

    Files should be located in '$WEBISDIR/servcert/' directory:

    /opt/spwm/servcert/servcert.p12
    /opt/spwm/servcert/servcert_ca.p12

  9. Determine the CN of the Security Gateway:

    [Expert@HostName]# $CPDIR/bin/cpopenssl pkcs12 -in $WEBISDIR/servcert/servcert.p12 -passin pass: -nokeys | grep 'subject=/CN='
    Example output:
    MAC verified OK
    subject=/CN=192.168.1.2
    
  10. Backup the current certificate files 'servcert*.p12':

    [Expert@HostName]# mv -v $WEBISDIR/servcert/servcert.p12 $WEBISDIR/servcert/servcert.p12_ORIGINAL

    [Expert@HostName]# mv -v $WEBISDIR/servcert/servcert_ca.p12 $WEBISDIR/servcert/servcert_ca.p12_ORIGINAL

    [Expert@HostName]# ls -l $WEBISDIR/servcert/servcert*.p12

  11. Generate a new SecurePlatform WebUI certificate with 2048-bit RSA keys:

    [Expert@HostName]# $WEBISDIR/bin/new_p12_cert $WEBISDIR/servcert/servcert.p12 CN=IP_Address_of_Security_Gateway

    where IP_Address_of_Security_Gateway should be taken from the output of '$CPDIR/bin/cpopenssl' command above.

  12. Verify that the new certificate files were generated:

    [Expert@HostName]# stat $WEBISDIR/servcert/servcert*.p12

    Note: The following files should be generated (the 'Modify' timestamp should show the time when the 'new_p12_cert' utility was run)

  13. /opt/spwm/servcert/servcert.p12
  14. /opt/spwm/servcert/servcert_ca.p12


  15. Reboot the older version Security Gateway.

Contact Check Point Support if you do not have access to an R77 Security Gateway running on SecurePlatform OS in your environment.

Gaia Portal

R75.4X:
1024-bit

R76 and above:
2048-bit

On Security Gateways R75.4X:

  1. Generate the Certificate Signing Request:

    [Expert@HostName]# $CPDIR/bin/cpopenssl req -new -x509 -days 3652 -newkey rsa:2048 -nodes -keyout /web/conf/server.key -out /web/conf/server.crt

  2. Restart the Apache HTTPD2 process:

    [Expert@HostName]# tellpm process:httpd2
    [Expert@HostName]# tellpm process:httpd2 t

Steps for 77.30:

1. Stop the Apache HTTPD2 process:

    [Expert@HostName]# tellpm process:httpd2

2. Backup the file /web/conf/server.key:

    [Expert@HostName]# cp -v /web/conf/server.key /web/conf/server.key_ORIGINAL

3. Backup the file /web/conf/ server.crt:

    [Expert@HostName]# cp -v /web/conf/server.crt /web/conf/server.crt_ORIGINAL

4. Remove the old .crt and .key files:

    [Expert@HostName]# rm /web/conf/server.crt

    [Expert@HostName]# rm /web/conf/server.key

5. Generate the Certificate Signing Request

    [Expert@HostName]# cpopenssl req -new -x509 -sha256 -days 3652 -newkey rsa:4096 -nodes -keyout /web/conf/server.key -out /web/conf/server.crt -config $CPDIR/conf/openssl.cnf

6. Start the Apache HTTPD2 process:

    [Expert@HostName]# tellpm process:httpd2 t

Mobile Access Portal

Identity Awareness Portal

DLP Portal

UserCheck Portal

1024-bit

Use this procedure in SmartDashboard only if you want to change the RSA key length to 1024-bit or 4096-bit:

  1. Go to 'Policy' menu - click 'Global Properties'
  2. Go to 'SmartDashboard Customization' or 'Advanced (For R80.x or later)'- click on the 'Configure...' button
  3. Go to 'Certificate and PKI Properties' pane
  4. In the 'host_certs_key_size' field, select either 2048, or 4096
  5. Click 'OK' to apply the changes
  6. Follow 'sk31539' to renew the default certificate
  7. Install the policy onto involved Security Gateways
Internal CA (Root Certificate) 2048-bit Impact on the Environment and Warnings

 

  • Throughout this procedure, you delete and recreate the ICA on the management server.
  • This procedure deletes all certificates from a management server. All certificates need to be regenerated and redistributed. You must establish SIC again with all gateways managed by this management server.
  • Therefore:
    • Consult with Check Point support engineers before recreating the CA.
    • Test this in a controlled lab first.
    • Make sure you have good backup (or even a snapshot) for the management server and that this procedure is done during down time.

 

Use this procedure on the MGMT only if you want to change the RSA key length (1024 / 2048 / 4096 bit):

  1. cpstop
  2. fwm sic_reset
  3. Edit InternalCA.C and add :ica_key_size(4096) , :sic_key_size(4096)
  4. Run cpconfig, choose 'Certificate Authority' to create CA
  5. cpstart
HTTPS Inspection

R80.10 and above:
2048-bit for dynamically created certificates (outbound inspection)

2048-bit for signing CA key

N/A
Client/VPN/User Certificate

R75.4X:
1024-bit

R77 and above:
2048-bit

Follow these steps:

  1. Connect to Internal CA Management Tool on Security Management Server / Domain Management Server:

    1. Enable Internal CA Management Tool:

      [Expert@MGMT]# cpca_client set_mgmt_tool on -no_ssl

    2. Connect to Internal CA Management Tool using a Web browser:

      http://MGMT_IP_ADDRESS:18265

      where MGMT_IP_ADDRESS is the IP address, which is used to connect with SmartDashboard to Management Server

    Note: To disable Internal CA Management Tool later, run:
    [Expert@MGMT]# cpca_client set_mgmt_tool off



  2. Change the Client/VPN/User Certificate key size:

    1. In the upper left menu, go to 'Configure the CA'
    2. Go to the 'Key Size Attributes' section
    3. In the 'User Certificate key size' field, enter the desired value (either 1024, 2048 or 4096)
    4. Click on the 'Apply' button at the top of the page


  3. Regenerate the Client/VPN/User Certificate.
SIC

R75.4X:
1024-bit

R77 and above:
2048-bit

Follow these steps:

  1. Connect to Internal CA Management Tool on Security Management Server / Domain Management Server:

    1. Enable Internal CA Management Tool:

      [Expert@MGMT]# cpca_client set_mgmt_tool on -no_ssl

    2. Connect to Internal CA Management Tool using a Web browser:

      http://MGMT_IP_ADDRESS:18265

      where MGMT_IP_ADDRESS is the IP address, which is used to connect with SmartDashboard to Management Server

    Note: To disable Internal CA Management Tool later, run:
    [Expert@MGMT]# cpca_client set_mgmt_tool off



  2. Change the SIC key size:

    1. In the upper left menu, go to 'Configure the CA'
    2. Go to the 'Key Size Attributes' section
    3. In the 'SIC key size' field, enter the desired value (either 1024, 2048 or 4096)
    4. Click on the 'Apply' button at the top of the page


  3. Regenerate the SIC certificate
Endpoint

R75.4X:
1024-bit

R77 and above:
2048-bit

Renewal of the Management Server SIC certificate will automatically renew the Endpoint certificate.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment