topic How to extract auto-signed certificate info in Firewall and Security Management

How to extract auto-signed certificate info

Franktum — Mon, 26 Feb 2024 11:33:03 GMT

Hi,

Last friday we got an issue when the Identity Collectors couldn't connect to a gateway. After a while we realised the certificate on the gateway expired. We fixed the issue by renewing it.

Now what we want is to monitor when that certificate will expire and to configure an alert to notify us 1 month earlier. The idea is to know what command tells us the expiration day of that certificate. We tried this command in all interfaces of the gateway, it shows the info from another certificate in the appliance, not the one we want:

cpopenssl s_client -connect X.X.X.X:443 | cpopenssl x509 -text

The output of that command shows us the certificate is going to expire on 2028 and the interesting certificate will expire on 2025 so it's reading another cert.

Do you know the command to extract the info of that certificate?

Thanks!

Re: How to extract auto-signed certificate info

Lesley — Mon, 26 Feb 2024 12:00:57 GMT

Maybe this command helps you:

[SMARTCENTER]# cpca_client lscert

[SMARTCENTER]# cpca_client lscert ?
Error: odd argument ? for lscert
Usage: cpca_client [-d]
create_cert [-p <ca_port>] -n "CN=<common name>" -f <PKCS12 filename> [-w <password>] [-k <SIC|USER|IKE|ADMIN_PKG>] [-c cert_comment]
revoke_cert [-p <ca_port>] [-n "CN=<common name>"] [-s <serial_number>]
revoke_non_exist_cert -i <input_file_full_path>
init_certs [-p <ca_port>] -i input_file_full_path -o output_file_full_path
get_crldp [-p <ca_port>]
set_cert_validity -k <SIC|IKE|USER> [-y num_of_years] [-d num_of_days] [-h num_of_hours] [-s num_of_seconds]
set_mgmt_tool on|off|add|remove|clean|print [-p <ca_port>] { [-a <administrator DN>] [-u <user DN>] [-c <custom user DN>] }
set_ca_services on|off
get_pubkey [-p <ca_port>] output_file
lscert [-dn substr] [-stat Pending|Valid|Revoked|Expired|Renewed] [-kind SIC|IKE|User|LDAP] [-ser ser] [-dp dp]
double_sign [-p <ca_port>] -i <input file: cert in PEM format> [-o <output file>]
set_sign_hash [sha1|sha256|sha384|sha512]
search <string> [-where dn|comment|serial|device_type|device_id|device_name] [-kind SIC|IKE|User|LDAP] [-stat Pending|Valid|Revoked|Expired|Renewed] [-max <maximum number of results>] [-showfp y/n]

Re: How to extract auto-signed certificate info

Franktum — Mon, 26 Feb 2024 12:28:07 GMT

Thanks for the answer Lesley! In management we were able to check the certificates (we got several gateways with Identity Awareness) with cpca_client lscert -ser XXXX.

Regards!