https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233340#M8855 <P>It appears the teapi leverages UserCheck, which has a portal certificate you can replace.<BR />See:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk113599" target="_blank">https://support.checkpoint.com/results/sk/sk113599</A>&nbsp;</P> Thu, 21 Nov 2024 00:03:36 GMT PhoneBoy 2024-11-21T00:03:36Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233176#M8846 <P>Hi all,</P> <P>So, we are trying to connect to the teapi and getting an error on our self-signed certificate is not trusted.</P> <P>Where do I export my manager's certificate &amp; how can I code this (python) so it is trusted rather than ignored?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 19 Nov 2024 20:53:52 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233176#M8846 Daniel_Kavan 2024-11-19T20:53:52Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233276#M8850 <P>It's not the certificate necessarily, it's the Certificate Authority (which is presumably the ICA).<BR />You might need to use the ICA Management Tool to get it: <A href="https://support.checkpoint.com/results/sk/sk30501" target="_blank">https://support.checkpoint.com/results/sk/sk30501</A>&nbsp;</P> <P>Coding acceptance of this in Python is a separate question.</P> Wed, 20 Nov 2024 15:17:26 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233276#M8850 PhoneBoy 2024-11-20T15:17:26Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233319#M8852 <P>The developers would prefer to use a wildcard certificate rather than use the CA, becuase they think it will be more of a security risk and harder to manage changes.&nbsp;&nbsp; Is there a way to use my gateway's certificate (signed), <A href="https://hostname.my.domain/teapi/et" target="_blank" rel="noopener">https://hostname.my.domain:18194/teapi/etc&nbsp;</A>and force the api to use it instead of the ica reference to my manager?</P> Wed, 20 Nov 2024 19:07:24 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233319#M8852 Daniel_Kavan 2024-11-20T19:07:24Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233340#M8855 <P>It appears the teapi leverages UserCheck, which has a portal certificate you can replace.<BR />See:&nbsp;<A href="https://support.checkpoint.com/results/sk/sk113599" target="_blank">https://support.checkpoint.com/results/sk/sk113599</A>&nbsp;</P> Thu, 21 Nov 2024 00:03:36 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233340#M8855 PhoneBoy 2024-11-21T00:03:36Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233423#M8858 <P>Isn't usercheck exclusively for browser connectivity vs a python script to 18194?</P> Thu, 21 Nov 2024 14:05:34 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233423#M8858 Daniel_Kavan 2024-11-21T14:05:34Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233445#M8859 <P>That makes more sense as UserCheck is used for the "user facing" parts of Threat Emulation/Extraction.<BR />The SK I linked suggests that the relevant Internal CA is what you need to trust as that's how it is configured in SmartEndpoint.<BR />Don't believe there is a supported way to change the API endpoint certificate.</P> Thu, 21 Nov 2024 16:46:42 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233445#M8859 PhoneBoy 2024-11-21T16:46:42Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233446#M8860 <P>I agree, that I need to trust the ICA.&nbsp;&nbsp; Does that change every year now?</P> Thu, 21 Nov 2024 16:48:25 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233446#M8860 Daniel_Kavan 2024-11-21T16:48:25Z https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233448#M8861 <P>At least for fresh installs of recent versions (e.g. R81.20), the CA should be valid until end of 2037.<BR />You can verify this by viewing the internal_ca object (under Servers &gt; Trusted CA in the Objects Explorer).</P> Thu, 21 Nov 2024 17:05:35 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/teapi/m-p/233448#M8861 PhoneBoy 2024-11-21T17:05:35Z