FAQs

What is Check Point VPN Appliance and How to generate CSR and install a certificate using it?

 

Overview

 

This article outlines the step-by-step process to:

 

1. Generate a Certificate Signing Request (CSR) for VPN
2. Add an Intermediate CA to Check Point Smart Dashboard
3. Install the signed certificate
4. Enable VPN client login using the SSL certificate

 

Part 1: Creating the CSR (Certificate Signing Request)

 

1. In Smart Dashboard, open the Device Properties for your VPN gateway.
2. Navigate to IPSec VPN > Click Add under certificates.
3. In the Certificate Properties window:
• Certificate Nickname: e.g., VPN.exampledomain.com
• CA to Enroll From: Select the Intermediate CA you just added.
• Click Generate.
4. A prompt will ask to generate the certificate — select Yes.
5. In the Generate Certificate Request dialog:
• Fill in the Distinguished Name (DN) as:

CN=Domain Name, OU=Department, O=Organization, L=Locality ,ST=State, C=Country

 

• Optional: Click Define Alternate Names to specify SANs (Subject Alternative Names), if applicable.
• Click OK.

 

 

 

Part 2: Adding the Intermediate Certificate

 

1. Right-click Trusted CAs again > New CA > Subordinate.
2. In the Certificate Authority Properties window:
• Under the General tab, enter a name (e.g., Sectigo_Intermediate).
3. Under the OPSEC PKI tab:
• Click Get and select the IntermediateCA.crt file provided by the CA.
4. Click OK to complete the import.

 

 

Part 3: Retrieving the CSR

 

1. After generation, click View to open the Certificate Request View.
2. Click Copy to Clipboard to copy the CSR.
3. Also click Save to File to save the CSR locally.
4. Use any text editor to open the .csr file and copy the entire content, including:

-----BEGIN CERTIFICATE REQUEST-----

... (CSR content) ...

-----END CERTIFICATE REQUEST-----

 

5. Paste this content into the Sectigo portal.
6. Once the validation is completed. Certificate will be issued.

 

Part 4: Installing the Signed Certificate

 

Once you receive your signed SSL certificate (example_domain_com.cert) from the CA:

 

1. Open the VPN Gateway’s Device Properties in Smart Dashboard.
2. Go to IPSec VPN > Click Complete next to your certificate.
3. Upload the .crt file received from the CA.
4. Click OK to finish the installation.

 

Part 5: Enabling VPN Client Login (Optional)

 

To allow users to connect via SSL Network Extender (SNX):

 

1. In IPSec VPN settings, check VPN Client Login.
2. Under SSL Network Extender, choose the installed certificate via Select by Nickname.
3. Click OK.

 

Part 6: Install Policy

 

To apply the changes:

 

1. Click Install Policy in SmartDashboard.
2. Define your Installation Targets (e.g., Gateway, Cluster Members).
3. Click Install to push the new certificate and configuration. 

Points to Note:

• Ensure the CN or SAN matches the domain users will connect to.
• If the CA sends the certificate in .p7b format, convert it to .pem or .cer using tools like OpenSSL.
• Always back up the private key and CSR before submitting.

 

 

RELATED ARTICLES:

TAGS: