Add a Root Certificate and Subordinate (Intermediate Certificate) & Create CSR

If you already added a root and intermedicate certificate, and you have your SSL Certificate and just need to install it, see Install SSL onto a Checkpoint VPN Appliance.

How to Create Your CSR for a Checkpoint VPN Appliance

    Add the Root Certificate

  1. Open the SmartDashboard so you can see all of your network devices.

  2. Right-click on Trusted CAs and then click New CA > Trusted.

    create new trusted CA for Checkpoint CSR Creation

  3. In the Certificate Authority Properties window, on the General tab, in the Name box, enter a name for the root certificate (e.g. DigiCert_Root).

    new SSL root certificate name for Checkpoint VPN

  4. On the OPSEC PKI tab, check HTTP Server(s).

  5. Next, click Get and browse to and open the TrustedRoot.crt file that DigiCert sent to you and then click OK.

    Get Certificate button from Checkpoint VPN OPSEC PKI tab

  6. In the Certificate Authority Certificate View window, click Ok to trust this Certificate Authority root certificate.

    Checkpoint SSL VPN Accept Certificate Authority Certificate

  7. Add the Intermediate Certificate

  8. In the SmartDashboard, right-click on Trusted CAs and then click New CA > Subordinate.

    create new Subordinate CA for Checkpoint CSR Creation process

  9. In the Certificate Authority Properties window, on the General tab, in the Name box, enter a name for the Intermediate certificate (e.g. DigiCert_Intermediate).

    Chekpoint new Subordinate CSA details

  10. On the OPSEC PKI tab, click Get and browse to and open the DigiCertCA.crt file that DigiCert sent to you and then click OK.

  11. In the Certificate Authority Certificate View window, click Ok to trust this Certificate Authority intermediate certificate.

  12. Create Your CSR

  13. In the SmartDashboard, open the Device properties for the device you want the SSL certificate to be sent out from, click Add to create a CSR.

    For example, go to Gateway Cluster > IPSec VPN > Add > Certificate Nickname (e.g. FQDN).

    Checkpoint Add CSR button

  14. In the Certificate Properties window, enter the following information:

    Certificate Nickname: Enter a nickname for the certificate (e.g. DigiCert or yourdomain.com).
     
    CA to enroll from: In the drop-down list, select the intermediate certificate that you added (e.g. DigiCert_Intermediate).

    Generate new CSR from Subordinate CA

  15. When you are finished, click Generate.

  16. In the Check Point SmartDashboard window, click Yes to generate the certificate for this node.

    Generation of certificate cannot be undone

  17. In the Generate Certificate Request window, in the DN box, enter CN=vpn.yourdomain.com and then, click OK.

    Note:    If you are getting a SAN certificate, click Define Alternate Names and when prompted specify those names.

    Enter CSR details DN:...

  18. Next, click View to see the CSR.

  19. In the Certificate Request View window do the following and then click OK:

    Click Copy to Clipboard. Copies the certificate contents to the clipboard.
    If you use this option, we recommend that you paste the CSR into a tool such as Notepad.
    If you forget and copy some other item, you still have access to the CSR, and you do not have to go back and recreate it.
     
    Click Save to File. Saves the CSR on your Checkpoint VPN Appliance. We recommend that you use this option.

    View CSR details

  20. Use a text editor to open the file. Then, copy the text, including the -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.

    Note:    During your DigiCert SSL Certificate ordering process, make sure that you select Other when asked to Select Server Software. This option ensures that you receive all the required certificates Checkpoint SSL Certificate installation.

    Select Server Software

  21. After you receive your SSL Certificate from DigiCert, you can install it.

    See Install SSL onto a Checkpoint VPN Appliance.

  22. Ready to Order Your Checkpoint VPN SSL Certificates

    Buy Now Learn More