topic 1490 certifcate valid from date CLI fetch in Spark Firewall (SMB)

1490 certifcate valid from date CLI fetch

Franco_Carched1 — Wed, 31 Jan 2018 15:03:19 GMT

Hi all,

wondering if you can help provide a way to do the below.

I am trying to get information from a 1490 device running R77.20 latest version for 1490.

We normally would use cpca_client but that has been removed from embedded appliance.

I have tried this

cpca_dbutil print $FWDIR/conf/InternalCA.db

but that only prints the information out and does not provide information on valid from and to date.

I also tried

ls -lht /opt/fw1/state/InternalCA_site.p12

this only provide me a date the file was created does anyone know how to get this information from a 1490 via command line.

Thank all,

Frank

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Fri, 21 Jun 2019 09:14:21 GMT

If it's a question about the 1490 it should be in the https://community.checkpoint.com/community/infinity-general/smb-smp?sr=search&searchId=6ce11c64-4608-4a34-8a11-f29a93effc51&searchIndex=0‌ space.

And maybe we should tag https://community.checkpoint.com/people/mirio5da802f4-2304-47d4-915d-e09d560ea3cc‌

But just to clarify: you're looking for the dates of validity for the internal CA certificate?

Is this 1490 self-managed or are you managing it with a SmartCenter/MDM setup?

Re: 1490 certifcate valid from date CLI fetch

Franco_Carched1 — Wed, 31 Jan 2018 16:03:07 GMT

Hi Dameon,

Thanks for the response, happy for it to be moved to the correct location also.

But just to clarify: you're looking for the dates of validity for the internal CA certificate? Correct

Is this 1490 self-managed or are you managing it with a SmartCenter/MDM setup? SmartCenter managed.

Thank you

Frank

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Wed, 31 Jan 2018 16:25:28 GMT

I'm questioning if this is the right command for the job in the first place on a gateway.

When I try to execute this command on a regular (non-SMB) R77.30 or R80.10 gateway, I get an "operation failed" message.

When I execute it on a management, I get what you describe, a bunch of lines that look like:

Subject = CN=animal,O=bunsen..9zzzzz
Status = Valid Kind = SIC Serial = 11111 DP = 0
Not_Before: Thu Aug 17 09:19:53 2017 Not_After: Wed Aug 17 09:19:53 2022

Which makes sense since the internal certificate authority only exists on the management.

It should have all the certificates for all managed gateways.

The above example is the certificate for a gateway managed by this SmartCenter.

Re: 1490 certifcate valid from date CLI fetch

Franco_Carched1 — Wed, 31 Jan 2018 16:28:55 GMT

Perfect my Friend, sorry to waste your time on this questions.

I did think about management, but our developers wanted this to come from the Appliance.

I will go with your suggestion.

Thanks Frank

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Wed, 31 Jan 2018 17:04:31 GMT

No worries, it was a good opportunity to refresh my knowledge

Re: 1490 certifcate valid from date CLI fetch

Franco_Carched1 — Thu, 01 Feb 2018 09:18:10 GMT

Hi Dameon,

sorry to bring this back up, but I gather there is no way of getting this from the GW ? I guess we can do a check first to see if ICA_Services are allowed from Gateway to Management then check the cert on the Manager ?

cpca_client lscert seems to be missing completely from the 1490 code.

Thanks

Frank

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Thu, 01 Feb 2018 14:50:09 GMT

I don’t see why cpca_client should exist on the SMB appliance since it does not perform central management functions, being either managed by something else or self-managed.

Re: 1490 certifcate valid from date CLI fetch

Franco_Carched1 — Thu, 01 Feb 2018 15:03:11 GMT

Ok, but if the device was managed locally then no way to retrive this info.

plus based on that if FW_ICA_services is not allowed by control connections, what if you do a check on the management it reports cert is valid but on GW it has not pushed/pulled the new cert becuase of the control connection being allowed and explict rule for the service to be allowed.

strange how a GW GAIA and not management still has cpca_client there even if it is a GW.

Cheers for the info either way but gathering from what said no way to get this out of the device itself.

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Thu, 01 Feb 2018 17:24:03 GMT

Embedded Gaia appliances have less storage space to work with than regular appliances.

As such, items that are not required are removed from the OS image.

Like I mentioned before, you can't use cpca_client lscert on a regular gateway either as it's only meant for management.

This is documented in the following sk: How to determine SIC Certificate expiration date

I'll see if there's a way to determine this from a gateway.

Re: 1490 certifcate valid from date CLI fetch

Pedro_Espindola — Thu, 01 Feb 2018 18:24:08 GMT

Hello Franco,

Would it be related to the InternalCA.crt? If it is, you can try:

cpopenssl x509 -noout -inform DER -in /opt/fw1/conf/InternalCA.crt -enddate -startdate

You can use this for other certificates in the gateway or -text option to see complete certificate.

Re: 1490 certifcate valid from date CLI fetch

Pedro_Espindola — Thu, 01 Feb 2018 18:25:21 GMT

Maybe for locally managed SMB cluster deployments.

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Thu, 01 Feb 2018 19:53:00 GMT

That would be for the internal CA on the appliance itself.

That's not the SIC key used by the appliance when communicating with central management.

Based on some SKs, it's going to be:

$CPDIR/conf/sic_cert.p12

I confirmed by resetting SIC on an 1100 device that the sic_cert.p12 file changes when SIC is re-established.

That means, you should be able to do something like the following to dump the key:

cpopenssl pkcs12 -info -in /opt/fw1/conf/sic_cert.p12

Except that won't work as the certificate is protected by a password, which I am going to guess we're not giving out.

Re: 1490 certifcate valid from date CLI fetch

David_Gambrin — Sun, 04 Feb 2018 05:06:08 GMT

Hi Franco Carchedi,

If you wish to know the details regarding the GW's internal CA you can do it in the WEB-UI ('Internal Certificate' page under VPN in locally managed mode) or in expert mode (both in locally and centrally managed modes) by the command `#cat $FWDIR/conf/InternalCA.fwset`.

the InternalCA.fwset is eventually a print of the internal CA that we take into a text file during it's creation using cpca.

BTW, the Internal CA is not relevant in centrally managed mode since the MGMT server is handling all the signing requests...is there any particular reason you need the info regarding the GW's internal CA in centrally managed mode as well?

Re: 1490 certifcate valid from date CLI fetch

Franco_Carched1 — Mon, 05 Feb 2018 08:28:14 GMT

Thanks David Gambrin, and all for the responses.

that command worked a treat.

cat $FWDIR/conf/InternalCA.fwset

Thanks

Frank

Re: 1490 certifcate valid from date CLI fetch

PhoneBoy — Mon, 05 Feb 2018 14:45:53 GMT

Just to be clear, that only shows the dates associated with the Internal CA on that specific device.

It does NOT reflect the SIC certificate used by the device issued by your central management.