Checkpoine Firewall SSL cert not working

I installed an SSLCert from Digicert on my Checkpoint Firewall running R77 GAIA.  Everything seems to have gone well but my clients still use the built-in cert when they connect up using the SSL Network Extender  Is there something that I need to do via command line to get this cert "active"?

Relay700IT ManagerAsked:
Who is Participating?
btanExec ConsultantCommented:
Saw the new release in R77.1 resolution on bugs - better to get latest version and republish

In a heavy-load cluster environment, Remote Access VPN Clients that are authenticated by LDAP are not able to connect due to VPN certificate validation errors.

With a certificate signed by a sub-CA, object settings are ignored in a Site-To-Site VPN with a 3rd party peer.

"Bad certificate chain in the response" error when trying to validate a 3rd party certificate with a critical extension of CertificatePolicies in a chain.

Past Advisory -

> SNX access with CA authentication fails

> Authentication with an internal certificate fails with Error occurred - User does not support public key authentication.
btanExec ConsultantCommented:
need to push it down to the client as well - pse see below DigiCert sharing on "Push this policy to devices and clients" in SmartCenter.

Likewise, though the Checkpoint pdf is using MS CA fro the SSL n/w extender, it is useful to check out the the steps for installing the user cert and use of browser to validate the choice of user cert installed. Primarily the new user cert must reside in the user personal certstore (else the browser will not find it)

jsut to make sure as well which I assume you have already validate, there are limitation on the browser and OS end
One thing you can do is to remove the old cert from the clients.  

- gurutc
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Relay700IT ManagerAuthor Commented:
@breadtan - all set with all of that except the dl3.checkpoint download says I am not authorized.  I am logged into my user center.  All the other steps checked out.

@gurutc - When I look at my certificates, I do not see one issued by my firewall.  When I view the cert in my browser it says it was issued by but there are no certs in my browser that came from that.
btanExec ConsultantCommented:
This how-to also comes in handy

How To Troubleshoot VPN Issues with Endpoint Connect (see the any match in error msg)
Relay700IT ManagerAuthor Commented:
No luck.  Still using self-signed cert.  I read somewhere a while back that you needed to issue a command through command line but I can't seem to find anything on it.
btanExec ConsultantCommented:
There is a list and specific interest in "snx -c <certificate file>"
ref -

snx -f <configuration file>
Run SSL Network Extender using parameters defined in a configuration file other than the default name or location.

snx -d
Disconnect from Mobile Access

snx -s <server>
Specify server IP or hostname

snx -u <username>
Specify a valid user

snx -c <certificate file>
Specify which certificate is used to authenticate.

snx -l <CA directory>
Define the directory where CA's certificates are stored.

snx -p <port>
Change the HTTPS port. (default port is TCP 443).

snx -g
Enable debugging. snx.elg log file is created.

snx -e <cipher>
Force a specific encryption algorithm. Valid values - RC4 and 3DES.

Also it is possible to predefine SSL Network Extender attributes by using a configuration file (.snxrc) located in the users home directory. When the SSL Network Extender command SSL Network Extender is executed, the attributed stored in the file are used by the SSL Network Extender command. To run a file with a different name execute the command snx -f <filename>.

Change the HTTPS port. (default port is TCP 443).

Change the HTTPS port. (default port is TCP 443).

Specify a valid user

Specify which certificate is used to authenticate

Define the directory where CA's certificates are stored.
Enable reauthentication. Valid values -{yes, no}

Enable debugging. snx.elg log file is created. Valid values {yes, no}. To activate debugging when running java, create a .snxrc file with the line debug yes in the home directory.

Force a specific encryption algorithm. Valid values: RC4 and 3DES

Define a Proxy hostname

Define a proxy port

Define a proxy user

Define a password for proxy authentication
Relay700IT ManagerAuthor Commented:
after upgrading, I was able to get the 3rd party cert working.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.