topic Re: Certificate Renewal - how is this task processed - Reporting options required in Firewall and Security Management

Certificate Renewal - how is this task processed - Reporting options required

Somasekharan_Va — Tue, 13 Feb 2018 13:27:52 GMT

Hello,

Can someone help me to check the certificates installed on Check Point appliances?. I have two requirements, need to check whether these appliance/gateways are installed valid certificate for WebUI and SSH access and what is the validity and expiry date and who provided the certificate (ether ICA or third-party certificate authority)

Any update on this is greatly appreciated

Thanks in advance

Thanks,

Somasekharan

Re: Certificate Renewal - how is this task processed - Reporting options required

PhoneBoy — Tue, 13 Feb 2018 23:01:17 GMT

Moving to Appliances and Gaia‌

Every time you connect to one of the web portals, the public certificate of that portal should be offered.

This is how TLS works.

I suppose you could use something like the following to programmatically evaluate the various portals: Proactively Handling Certificate Expiration With ssl-cert-check -- Prefetch Technologies

SSH keys are not issued by a certificate authority.

They are almost always internally generated and do not have an expiration date.

Re: Certificate Renewal - how is this task processed - Reporting options required

XavierBens — Wed, 14 Feb 2018 21:33:31 GMT

If you need to check all certificates expiration, you may check also the ones which are used to establish IPSec tunnels. By default they are generated for 5 years ... if some of your Security Gateways have to be in place approx this time, you should pay attention to that expiration : if expired, you will not be able to establish VPN IPSec tunnel.

I use the following command on the Security Management Server:

cpca_client lscert -kind IKE -stat Valid > /var/ValidIKECert_`/bin/date +%Y-%m-%d_%H%M`.txt

More details on cpca_client lscert command (from Command Line Interface Reference Guide of R77😞
Description Show all certificates issued by the ICA.
Syntax

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}]
[-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter Description
-d Runs the command in debug mode
-dn substring Filters results to those with a DN that matches this <substring>
-stat Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed
-kind Filters results for specified kind: SIC, IKE, User, or LDAP
-ser <serial> Filters results for this serial number
-dp <dp> Filters results from this CDP (certificate distribution point)

The content of the file generated should be something like:

which could be transform to:

... in order to be imported in any spreadsheet software.

Re: Certificate Renewal - how is this task processed - Reporting options required

Somasekharan_Va — Thu, 15 Feb 2018 07:46:05 GMT

Thank you for your response

Re: Certificate Renewal - how is this task processed - Reporting options required

Somasekharan_Va — Thu, 15 Feb 2018 07:46:24 GMT

Thank you for your input

Re: Certificate Renewal - how is this task processed - Reporting options required

Somasekharan_Va — Thu, 15 Feb 2018 07:50:02 GMT

Thank you all for your feedback. I will go through your comments.

If we have the certificate from the internal Certificate authority for For the administrative access (via ssh, WEB-UI) on the security components, hope the same can be pushed to use laptop using Group Policy.

My organization is asking for the certificate for administrative access (via ssh, WEB-UI) on the security components.