topic Re: DigiCert Checker - Using MGMT_CLI - sk183884 in Scripts

DigiCert Checker - Using MGMT_CLI - sk183884

Adam_Forester — Tue, 02 Sep 2025 20:04:13 GMT

Note: This script is a third-party utility, not an official Check Point tool. It is provided as-is for convenience and reporting purposes. Always verify results against official Check Point documentation and support resources before taking action.

Based on the manual checks from SK 183884 I wrote a bash script that would check for DigiCert from the API.

I've uploaded to my GitHub; https://github.com/WadesWeaponShed/CheckPoint-CA-Check-sk183884/tree/main

Two Versions;

1. SMS version.

2. MDS version that will cycle through all Domains in a Multi-Domain Mgmt.

The script basically runs 3 checks;

Looks for all Trusted CA objects in the Security Management Server.
If only the default internal_ca is present the script will exit and let you know you are not using 3rd party certificates.
If other CAs exist:
- Each CA is inspected for its Distinguished Name (DN) using generic object API and looks for DigiCert signed certificates.
  - If no DN contains DigiCert, the script informs you that other CAs exist but none are DigiCert-related, and the check ends successfully without running gateway checks.
  - If a DN contains the word DigiCert, a warning is displayed and the script proceeds to gateway checks.
    - The Gateway Check will roll through all gateway objects and check if HTTPS inspection, S2S-VPN, and Mobile-Access are enabled. It will print each gateway as a line "GATEWAY_NAME: HTTPS=true/false, S2S-VPN=true/false, Mobile-Access=true/false

Re: DigiCert Checker - Using MGMT_CLI - sk183884

Danny — Tue, 02 Sep 2025 19:53:31 GMT

Thanks for this script that will help people during the few remaining days that this check is required.

Re: DigiCert Checker - Using MGMT_CLI - sk183884

Adam_Forester — Tue, 02 Sep 2025 20:07:09 GMT

Thanks @Danny PTO so I'm catching up and one of my larger folks asked me to automate some checks so decided to at least share for the short period we have left. I just updated it for MDS too, working on testing now.

Re: DigiCert Checker - Using MGMT_CLI - sk183884

the_rock — Wed, 03 Sep 2025 00:30:29 GMT

Excellent. Just tried it in the lab, worked great.

Andy

Re: DigiCert Checker - Using MGMT_CLI - sk183884

the_rock — Wed, 03 Sep 2025 12:05:22 GMT

Just had one customer ran it and they got the same as me below, in the lab.

Andy

[Expert@CP-MANAGEMENT:0]# ./sms_ca_check.sh
Section 1: Checking Trusted Certificate Authorities...
Result: Only 'internal_ca' found — you don't have any other certificate authorities.
Check Complete ✅
[Expert@CP-MANAGEMENT:0]#

Re: DigiCert Checker - Using MGMT_CLI - sk183884

Hugo_vd_Kooij — Fri, 05 Sep 2025 09:45:11 GMT

Just ran it on a cluster of 3 nodes.

On any domain not on the local MDS it will fail with the error: Error: Failed to login to the management server

On the local domains I got the error: jq: error: Cannot iterate over null

I will see if I can figure out why this jq error happens.

Re: DigiCert Checker - Using MGMT_CLI - sk183884

Hugo_vd_Kooij — Fri, 05 Sep 2025 10:08:22 GMT

Ahh. The shown API command is only valid as of version 2.0 of the Management API. So it only works on R82 and above.

When I test on our R82 MDS I get this for each domain:jq: error: object and string cannot be subtracted

Re: DigiCert Checker - Using MGMT_CLI - sk183884

Adam_Forester — Fri, 05 Sep 2025 13:37:14 GMT

Are you testing the MDS script?

Re: DigiCert Checker - Using MGMT_CLI - sk183884

Hugo_vd_Kooij — Mon, 08 Sep 2025 08:23:29 GMT

I did.

Re: DigiCert Checker - Using MGMT_CLI - sk183884

the_rock — Mon, 08 Sep 2025 10:33:58 GMT

Odd...I tested yesterday in R82 mds lab and worked fine.

Andy