topic Re: Third Parties Certificate details in General Topics

Third Parties Certificate details

_Daniel_ — Mon, 02 Mar 2020 21:57:16 GMT

Hi There,

cpca_client lscert will list only the details of internal certificates, just wonder if anyone out there aware of a CLI command -or API call- to get the details for any third party used certificate on the SMS.

We were caught of a certificate expiring -causing impact on remote users, which we're trying to avoid by creating a cron job -or something similar- to alert us, but first we need to get the command to extract the information.

Many thanks as always

Re: Third Parties Certificate details

PhoneBoy — Tue, 03 Mar 2020 01:43:34 GMT

Doesn't appear to be API support for this, and I'm not aware of any way to pull this over the CLI.
Might be an RFE.
@Eran_Habad

Re: Third Parties Certificate details

_Val_ — Tue, 03 Mar 2020 08:09:33 GMT

API commands for user management are still on the roadmap.

However,

 echo -e "query users\n-q\n" |dbedit -local

with some additional greps should do the trick

Re: Third Parties Certificate details

_Daniel_ — Wed, 04 Mar 2020 03:45:18 GMT

Thanks both,

Though not after the user details in particular rather the third party certificate's details installed on the gateway for remote users connecting to.

Will keep a close eye

Cheers

Re: Third Parties Certificate details

_Val_ — Wed, 04 Mar 2020 07:26:46 GMT

Even easier, you can query GW with HTTPS on SSL portal and script certificate expiration retrieval.

Re: Third Parties Certificate details

JozkoMrkvicka — Wed, 04 Mar 2020 13:44:13 GMT

From management where gateway/cluster is managed:

fwm printcert -obj <MANAGED_GATEWAY_NAME>

Re: Third Parties Certificate details

PhoneBoy — Thu, 05 Mar 2020 00:00:49 GMT

Pretty sure that doesn't work for OPSEC CAs.
It returned an empty result on my R80.40 Manager where I have at least one OPSEC CA configured.

Re: Third Parties Certificate details

JozkoMrkvicka — Fri, 13 Mar 2020 13:54:24 GMT

fwm printcert -ca <CA_NAME>

Re: Third Parties Certificate details

PhoneBoy — Fri, 13 Mar 2020 22:40:04 GMT

Sure enough that works.

[Expert@R8040Mgmt:0]# fwm printcert -ca testca
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Not Valid Before: Thu Jun 4 04:04:38 2015 Local Time
Not Valid After: Mon Jun 4 04:04:38 2035 Local Time
Serial No.: 008210cfb0d240e3594463e0bb63828b00
Public Key: RSA (4096 bits)
Signature: RSA with SHA256
Key Usage:
keyCertSign
cRLSign
Basic Constraint:
is CA
MD5 Fingerprint:
0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
SHA-1 Fingerprints:
1. CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
2. OWNS TERM INCA TOY DRAM HAL ULAN TENT AQUA COST LINT RENT

Nice work 🙂

Re: Third Parties Certificate details

_Daniel_ — Sun, 15 Mar 2020 19:47:07 GMT

Thanks Jozko,

This command perfectly lists the CA details, not though the certificate(s) generated -and assigned to a particular gateway- by this CA itself.

I've tried another flavor of it: fwm printcert -obj <gateway>-cert <cert nickname> but didn't list the details we're after, rather it listed the certificate generated by the internal CA. Adding or removing the -cert option didn't make any difference in our case

Wish this command got an option as below:

fwm printcert -ca <3rd party CA> -cert <cert nickname>

But I still think, if the GUI can list the details, then there should be a CLI command to do it as well... I'm still digging 😉