[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] Using External CA with SecureClient
Has anyone had any success getting an external CA to work with SecureClient in NGFP1? I can get certificate-based authentication to work easily when I use the ICA, but we have been unable to get this work with an external CA. We are using a CA setup on Win2000, and the CA is defined on NGFP1 as an external CA, its certificate is listed on the VPN section of the firewall object. We have enabled "use any of its certificates" on the firewall, as opposed to a particular CA. When we do a site update on SecureClient, it always fails, the logs showing "unknown user." The log shows an accepted http connection to the CA server, indicating that it is looking for the CRL there. I noted that when using the ICA, we had generated a certificate for the SecureClient user, and exported it so that it can be used from the client machine (or on a token that will hold the certificate). However, when using the external CA, we imported the CA-issued cert for that user on the client, but the firewall does not have this cert (only the DN from the external CA-Server). Well, the external CA-server is not the root CA of the ICA -- so does this mean that the ICA does not TRUST certs from the external CA by default? Or is it that a configuration issue results in mis-matched certificates, hence the failure? (ie: the ICA is comparing the "user cert" to the "external CA cert"). Would it be possible to have the external CA issue a certificate to the ICA and would this help? Dave Gianna, MS, CCSE, CCSI, NSA, RSA/CA ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|