Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] Using External CA with SecureClient

To: [email protected]
Subject: [FW-1] Using External CA with SecureClient
From: "David A. Gianna" <[email protected]>
Date: Wed, 3 Apr 2002 14:14:53 -0500
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Has anyone had any success getting an external CA to work with SecureClient
in NGFP1?

I can get certificate-based authentication to work easily when I use the
ICA, but we have been unable to get this work with an external CA.
We are using a CA setup on Win2000, and the CA is defined on NGFP1 as an
external CA, its certificate is listed on the VPN section of the firewall
object.
We have enabled "use any of its certificates" on the firewall, as opposed
to a particular CA.

When we do a site update on SecureClient, it always fails, the logs showing
"unknown user."
The log shows an accepted http connection to the CA server, indicating that
it is looking for the CRL there.

I noted that when using the ICA, we had generated a certificate for the
SecureClient user, and exported it so that it can be used from the client
machine (or on a token that will hold the certificate). However, when using
the external CA, we imported the CA-issued cert for that user on the
client, but the firewall does not have this cert (only the DN from the
external CA-Server). Well, the external CA-server is not the root CA of the
ICA -- so does this mean that the ICA does not TRUST certs from the
external CA by default? Or is it that a configuration issue results in
mis-matched certificates, hence the failure? (ie: the ICA is comparing the
"user cert" to the "external CA cert").

Would it be possible to have the external CA issue a certificate to the ICA
and would this help?






Dave Gianna, MS, CCSE, CCSI, NSA, RSA/CA

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Prev by Date: Re: [FW-1] Securemote Policy Download/Key Exchange.
Next by Date: Re: [FW-1] Securemote Policy Download/Key Exchange.
Previous by thread: Re: [FW-1] VP-1 to M$ tunnel?
Next by thread: Re: [FW-1] FW: NAVFW CVP Died...try mdq command
Index(es):
- Date
- Thread