Knowledge Base

Add a Root Certificate and Subordinate (Intermediate Certificate) & Create CSR

If you have already added a root and intermediate certificate, and you have your SSL Certificate and just need to install it, see Install SSL onto a Checkpoint VPN Appliance.

How to Create Your CSR for a Checkpoint VPN Appliance

Add the Root Certificate

1. Open the SmartDashboard so you can see all of your network devices.

2. Right-click on Trusted CAs and then click New CA > Trusted.

   

3. In the Certificate Authority Properties window, on the General tab, in the Name box, enter a name for the root certificate (e.g., DigiCert_Root).

   

4. On the OPSEC PKI tab, check HTTP Server(s).

5. Next, click Get and browse to and open the TrustedRoot.crt file that DigiCert sent to you, and click OK.

   

6. In the Certificate Authority Certificate View window, click Ok to trust this Certificate Authority root certificate.
   
   

   
   
   Add the Intermediate Certificate

7. In the SmartDashboard, right-click on Trusted CAs and then click New CA > Subordinate.

   

8. In the Certificate Authority Properties window, on the General tab, in the Name box, enter a name for the Intermediate certificate (e.g., DigiCert_Intermediate).

   

9. On the OPSEC PKI tab, click Get and browse to and open the DigiCertCA.crt file that DigiCert sent to you, and click OK.

10. In the Certificate Authority Certificate View window, click Ok to trust this Certificate Authority intermediate certificate.
    
    
    Create Your CSR

11. In the SmartDashboard, open the Device properties for the device you want the SSL certificate to be sent out from, and click Add to create a CSR.

    For example, go to Gateway Cluster > IPSec VPN > Add > Certificate Nickname (e.g., FQDN).

    

12. In the Certificate Properties window, enter the following information:

    Certificate Nickname:	Enter a nickname for the certificate (e.g., DigiCert or yourdomain.com).
    CA to enroll from:	In the drop-down list, select the intermediate certificate that you added (e.g,. DigiCert_Intermediate).

    

13. When you are finished, click Generate.

14. In the Check Point SmartDashboard window, click Yes to generate the certificate for this node.

    

15. In the Generate Certificate Request window, in the DN box, enter CN=vpn.yourdomain.com and click OK.

    Note: If you are getting a SAN certificate, click Define Alternate Names and when prompted, specify those names.

    

16. Next, click View to see the CSR.

17. In the Certificate Request View window, do the following and then click OK:

    Click Copy to Clipboard.	Copies the certificate contents to the clipboard.
    	If you use this option, we recommend that you paste the CSR into a tool such as Notepad.
    	If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it.
    Click Save to File.	Saves the CSR on your Checkpoint VPN Appliance. We recommend that you use this option.

    

18. Use a text editor to open the file. Then, copy the text, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- tags, and paste it into the DigiCert order form.

    Note: During your DigiCert SSL Certificate ordering process, make sure that you select Other when asked to select Server Software. This option ensures that you receive all the required certificates Checkpoint SSL Certificate installation.

    

19. After you receive your SSL Certificate from DigiCert, you can install it.

    See Install SSL onto a Checkpoint VPN Appliance.