Checkpoint firewall VPN cert

Hi guys,

I am new to this and have some queries that I cant get my head around. I intend to get a free SSL cert from letsencrypt to install on my Checkpoint Firewall, so far I think I need to do the following

  1. Get the root and immediate cert from the url below
  2. Install them as a trust CA
  3. Generate CSR file using the immediate cert
    the CN name can be anything or must be exact same as my vpn url?
  4. go to to generate signed CSR
    I dont understand the public key part here
  5. Install the signed CSR to checkpoint

Please help to advise if any of the above step is wrong.

have you read any guides from checkpoint

this would be the usual starting point as vendors vary from

you should use your big words and explain for what you are trying to get a certificate for (is it the management interface, SSL VPN etc etc)

Have a look at various articles here.

Also your flow is off

A) Generate Private Key (this can be done by yourself or your appliance)
B) From Private Key generate a CSR
C) Submit CSR to CA and pass challenge (this is what clients such as gethttpsforfree do)
D) Install Certificate on your appliance


Hi @tungcisco,

There are two separate keypairs involved here: a public/private keypair for your Let’s Encrypt account (this is used instead of an account password), and a public/private keypair to identify your server to people who connect to it (here, this public key is mentioned in the CSR, and is going to be the subject key described in your certificate after the certificate is issued). The public key that Step 1 on that site asks for is a public key for your Let’s Encrypt account and is not related to the CSR at all. There’s a link there called “how do I generate this?” to explain how to generate a keypair if you’re not familiar with that process.

Later steps on that site will involve the CSR directly, but Step 1 doesn’t.

1 Like

thank Schoen, I get it now.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.