https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240604#M12047 <P>The local WebUI will only show you local certificates, I believe.<BR />Might need to use&nbsp;<STRONG>cpca_client lscert&nbsp;</STRONG>from Expert Mode.</P> Thu, 06 Feb 2025 14:39:41 GMT PhoneBoy 2025-02-06T14:39:41Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240477#M12030 <P>We use SmartProvisioning to manage 25 or so Spark appliances. These appliances are used as satellite gateways in a VPN community, with the center gateways managed by the same SMS. I cannot find a way to determine the age/expiration date of the VPN certificate generated by the SMS (in SmartProvisioning). Here is a screenshot of the VPN tab where the cert is generated:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VPN cert SmartProvisioning.jpg" style="width: 497px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29533i1C6D03A9D6B502FA/image-dimensions/497x345?v=v2" width="497" height="345" role="button" title="VPN cert SmartProvisioning.jpg" alt="VPN cert SmartProvisioning.jpg" /></span></P> <P>As you can see, no details available. The webUI of the Spark appliance does show installed certificates, but the certs shown here are the locally generated certificates.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Spark cert1.jpg" style="width: 653px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29534i7487C099E093FA61/image-dimensions/653x179?v=v2" width="653" height="179" role="button" title="Spark cert1.jpg" alt="Spark cert1.jpg" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Spark cert2.jpg" style="width: 473px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/29536iEDBCDA0124F4B2DF/image-dimensions/473x471?v=v2" width="473" height="471" role="button" title="Spark cert2.jpg" alt="Spark cert2.jpg" /></span></P> <P>&nbsp;</P> <P>Is there a way to see the details of the certificate generated in SmartProvisioning, which is actually used for the VPN authentication?</P> <P>Thanks,</P> <P>David</P> <P>&nbsp;</P> Wed, 05 Feb 2025 13:54:04 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240477#M12030 David_C1 2025-02-05T13:54:04Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240604#M12047 <P>The local WebUI will only show you local certificates, I believe.<BR />Might need to use&nbsp;<STRONG>cpca_client lscert&nbsp;</STRONG>from Expert Mode.</P> Thu, 06 Feb 2025 14:39:41 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240604#M12047 PhoneBoy 2025-02-06T14:39:41Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240611#M12048 <P>Phoneboy - you are correct, local WebUI only shows local certificates (something not very helpful with centrally managed gateways) and the command you provided does show me what I need to see - thank you for that.</P> <P>That being said, it would be nice if the certificate view in SmartProvisioning had same features as in SmartConsole, where you can actually see details of the cert.</P> <P>Dave</P> Thu, 06 Feb 2025 15:15:01 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240611#M12048 David_C1 2025-02-06T15:15:01Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240616#M12049 <P>Bad form I know to reply to my own post, but follow up question:</P> <P><STRONG>cpca_client lscert&nbsp;</STRONG>shows me the certs that the CA has issued (including expired, revoked certs).&nbsp; There are many examples of numerous certs issued for the same gateway, same function. How do I&nbsp;<STRONG>know</STRONG> which cert the client is actually using? If one cert is expired, one is valid, I can&nbsp;<STRONG>assume</STRONG> that the gateway is using the valid cert? Or is there some way on the client side I can verify?</P> <P>Dave</P> Thu, 06 Feb 2025 15:29:10 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240616#M12049 David_C1 2025-02-06T15:29:10Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240629#M12050 <P>Only valid certs should be used.<BR />To see which one is actually used, a debug might be required.</P> Thu, 06 Feb 2025 15:49:24 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Centrally-managed-Spark-appliance-and-VPN-certificates/m-p/240629#M12050 PhoneBoy 2025-02-06T15:49:24Z