Support Center > Search Results > SecureKnowledge Details
Endpoint Security MI Server R73 certificate validation Technical Level
  • Certificate validation settings take no effect in Endpoint Security MI Server R73. If certificate validation is configured, MI client will not perform validation.

Check Point offers a Hotfix for this issue.

Table of Contents:

  • Hotfix availability
  • Important notes
  • Hotfix installation instructions
  • Enabling SSL communication
  • Replacing the certificate
  • Troubleshooting


Hotfix availability

This hotfix is compiled only for MI version 3.0.0 HFA2.5.
If an older version is installed, user should upgrade.


Important notes

  • If the web server uses a self-signed certificate, then SSL communication must not be enabled. Otherwise, the Device-to-CP communication will break!

  • Server certificate must have a valid parent CA in the certification path.

  • The certificate must have a SSLv3 certificate.


Hotfix installation instructions

  1. Download the improved DLL file from here.

  2. Transfer the file to Endpoint Security MI Server.

  3. Stop the Endpoint Security MI Server.

  4. Extract the DLL file from the ZIP archive.

  5. Drag the DLL file to the folder %SYSTEMROOT%\assembly\.

  6. Start the Endpoint Security MI Server.


Enabling SSL communication

Note: It is recommended to configure only a single test device prior to switching all devices to communicate over SSL.

  1. Open Endpoint Security MI Management Console (MIMC).

  2. Navigate to the device.

  3. Right-click on the device - click on 'Properties'.

  4. Go to 'Software' tab.

  5. Right-click on the 'Endpoint Security Device Agent for PC' node - click on 'Properties'.

  6. Expand 'System Settings'.

  7. Go to 'Connection Points'.

  8. Double-click on each attribute - modify its value to 'Deny'.

  9. Click on 'OK' button.

  10. Verify that the device downloads the new settings (open 'Logs' tab).

  11. Verify that device communication is not broken.



Replacing the certificate

  1. Assign the new certificate to the web server - follow the instructions in Microsoft KB816794 - Install Imported Certificates on a Web Server in Windows Server 2003.

  2. Restart the Windows IIS service.



  1. On the server, browse to https://localhost/PointsecMI_CP/cp_ssl.aspx

  2. Verify you do not get any warning regarding the certificate.

  3. Open the certificate from the browser and verify:

    • The certificate is the one you expect.

    • The certificate has a trusted parent CA.

    • The certificate is of SSLv3.

  4. Verify that client device communicates:

    1. On client device, browse to the connection point at this URL:


    2. Verify you do not get any warning regarding the certificate.

    3. Verify that the certificate that is used is the new one.

    4. Verify that Device Agent communicates (open Device Agent UI).




Check Point thanks Alberto Garcia Illera for responsible disclosure of this issue.

This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document