Generate 2048 Bits CSR in Checkpoint Firewall - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, April 3, 2014

Generate 2048 Bits CSR in Checkpoint Firewall

1. Situation

When submitting CSR to Symantec Verisign, it shows the CSR is not generated with a 2048 bit key. But from the place where to generate CSR in Checkpoint Smart Dashboard gateway properties window, there is no option to change 1024 bit key to 2048 bit or higher.

2. Research

It seems Checkpoint gateway is still using 1024 bit key. Checkpoint SK44961 has a solution for this.

3. Solutions

By default, when generating a CSR for 3rd party certificate use, the CSR is 1024bit. Some certificate vendors require 2048bit.
To change the default size of the CSR when generating it through the security gateway object:
  1. Open the SmartDashboard.
  2. Go to Policy -> Global Properties -> SmartDashboard Customization.
  3. Click 'Configure'.
  4. In the opened Advanced Configuration view go to 'Certificates and PKI properties'.
  5. Edit the "host_certs_key_size" property accordingly.
  6. Save and install the Security policy.

4. Verify


  1. Hi,

    I need to make a change to the below in order to support 2048 key size SCR.
    Any impact on existing certificates?
    Any impact on site-to-site VPN?
    Any impact on secure Remote connections?
    Any other impacts?

    1. It should not affect your existing certificates since this change will only change your CSR key size from 1024 to 2048.