This post is to show all basic steps to how to get a CA signed certificate for Mobile Access Portal to avoid this kind of warning message.
1. Generate Certificate Signing Request (CSR)
From gateway expert mode, Run:cpopenssl req -new -out <CERT.CSR> -keyout <KEYFILE.KEY> -config $CPDIR/conf/openssl.cnfÂ
This command generates a private key.
for example:
cpopenssl req -new -out cert.csr -keyout keyfile.key -config $CPDIR/conf/openssl.cnf
It will ask you to enter password to protect your private key file.
2. Go to Symantec Trust Center to submit your CSR. Following screenshots show all steps to get a trial certs.Â
After submission, it will take some days to get your certificate. The more details can be read from previous post:3. Generate P12 certificate based on Verisign signed certificate and your private key file.
Third Party CA company will send you your certificate (received.crt), and the ca file bundle including Root CA and Intermediate CA files (ca_public_key.crt). For CA cert files, it may be just one bundle or multiple files. If it is multiple files, you will have to manually combine them together.Following command will used to generate a P12 certificate based on CA signed certificate and your private key file.
cpopenssl pkcs12 -export -in received.crt -inkey keyfile.key -certfile ca_public_key.crt -out finalbundle.p12
During generation of P12 file, it will ask you the password of key file which you entered during generating CSR.
The second password is confusing here. It prompted to ask Expert Password and verify it again. Actually it is the password for your P12 cert.
note: when ftp out this cert, bin mode is mandatory to transfer this p12 cert file. I were using ASCII mode and got authentication failure in step 4.
4. Import P12 file into Mobile Portal
Click Mobile Access -> Portal Settings -> Import Selected finalbundle.p12 generated from step 3. It will ask you Password for PKCS#12 certificate, which is the step 3's expert password.
 View the certificate after imported it into portal.
5. Verify
Reference:
- Mobile Access Blade Configuration and Settings
- How to Generate a Certificate Signing Request for the Mobile Access Blade
- Use Symantec Verisign as OPSEC PKI to authenticate Checkpoint Site-to-Site IPSec VPN
No comments:
Post a Comment