Creating a PKCS#12 Certificate

For Manual Installation on Embedded NG

Appliances
June 2004

Introduction
About This document.
This document describes two methods in which you can create or obtain a
PKCS#12 file for manual installation on your Safe@Office or VPN-1 Edge
Internet Security appliance:

o Creating a PKCS#12 Certificate Using OpenSSL

o Exporting a PCKS#12 file from Check Point SmartCenter

Note:
If the VPN settings of your appliance are centrally managed by a Check Point
SmartCenter or SofaWare Security Management Portal (SMP), a PKCS#12
certificate is automatically downloaded and installed on your appliance – there is
no need to install it manually.

Creating a PKCS#12 Certificate Using OpenSSL

About OpenSSL
OpenSSL is a free tool which can be used to generate security certificates.

Step 1- Download and Install OpenSSL

OpenSSL has several flavors for different operating systems.
Official site: http://www.openssl.org/
OpenSSL for windows: http://www.slproweb.com/products/Win32OpenSSL.html

Step 2 - Generate the Root Certificate Request

C:\OpenSSL\bin>OpenSSL req -new -out MyCA.req -keyout MyCA.key
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
................++++++
.............++++++
writing new private key to 'MyCA.key'
Enter PEM pass phrase:<password>
Verifying - Enter PEM pass phrase:<password>
-----
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name

1
 or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IL
State or Province Name (full name) [Some-State]:Israel
Locality Name (eg, city) []:Tel-Aviv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My
Company Name Ltd.
Organizational Unit Name (eg, section) []:Support
Common Name (eg, YOUR name) []:John
Email Address []:john@mydomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<password>
An optional company name []:[Enter]

Step 3 - Self-Sign the Root Certificate request

C:\OpenSSL\bin>OpenSSL x509 -req -in MyCA.req -signkey MyCA.key -
out MyCA.crt -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=IL/ST=Israel/L=Tel-Aviv/O=My Company Name
Ltd./OU=Support/CN=John/emailAddress=john@mydomain.com
Getting Private key
Enter pass phrase for MyCA.key:<password>

Step 4 – Generate A Certificate Request for the Gateway

C:\OpenSSL\bin>OpenSSL req -new -out MyCert.req -keyout MyCert.key
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...++++++
...........++++++
writing new private key to 'MyCert.key'
Enter PEM pass phrase:<password>
Verifying - Enter PEM pass phrase:<password>
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name
or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IL
State or Province Name (full name) [Some-State]:Israel
Locality Name (eg, city) []:Tel-Aviv
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My
Company Name Ltd.
Organizational Unit Name (eg, section) []:Support

2
 Common Name (eg, YOUR name) []:John
Email Address []:john@mydomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<password>
An optional company name []:[Enter]

Step 5 – Sign the gateway certificate

C:\OpenSSL\bin>OpenSSL x509 -req -in MyCert.req -out MyCert.crt -CA
MyCA.crt -CAkey MyCA.key -CAcreateserial -days 365
Loading 'screen' into random state - done
Signature ok
subject=/C=IL/ST=Israel/L=Tel-Aviv/O=My Company Name
Ltd./OU=Support/CN=John/emailAddress=john@mydomain.com
Getting CA Private Key
Enter pass phrase for MyCA.key:<password>

Step 6 - Produce a PKCS12 file

C:\OpenSSL\bin>OpenSSL pkcs12 -export -inkey MyCert.key -in
MyCert.crt -out MyCert.p12 -certfile MyCA.crt
Loading 'screen' into random state - done
Enter pass phrase for MyCert.key:<password>
Enter Export Password:<password>
Verifying - Enter Export Password:<password>

Exporting a PCKS#12 file from Check Point SmartCenter

Option 1: Using the Command Line
Check Point SmartCenter version R54 or later is required.
Open a command prompt and type the following:
vpn export_p12 –obj <network object> -cert <certobj> -file
<filename> -passwd <password>

<network object> is the VPN-1 Edge gateway object name.

<certobj> is the name of the certificate as it appears in the gateway object. The
certificate’s name appears in the Certificate List area.
<filename> is the name of the file to be created. It must be a *.p12 file.
<password> is the password used to authenticate and load the *.p12 file.

Usage example:
vpn export_p12 -obj Office_GW -cert defaultCert –file
office_cert.p12 -passwd mypassword

Option 2: From the SmartDashboard GUI

Check Point SmartCenter version R55 or later is required.

1. Create a VPN-1 Edge object with VPN properties

3
2. A certificate is automatically created for this object
3. Double click the certificate name in the Object's VPN tab.
4. Save the certificate as a *.p12 file