This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pepj
Participant
‎2022-02-04 08:12 AM

add server-certificates failed (API and mgmt_cli)

Hello
R81, API 1.7.1
add server-certificates  for HPPTS-Inspection failed when using API , mgmt_cli or Web Service.
It functions only manually using the dashboard.
( on console not possible because the certificate p12 in base64 is too big for the console)

I always receive "Failed to create HTTPS inbound certificate with error -1"

as basic command used ( also with other user mgmt_cli --user .... )
mgmt_cli -r true add server-certificate name "NameCertificate" base64-certificate "MIIQEAIB...5489characters....ggA" base64-password "password_format_base64" comments "TESTING CERTIFICATE IMPORT"

What I did for converting and testing the formatted base64 certificate
  converted to base64 using #base64 ...file.p12 > certificate_p12_formatbase64
  tested way back using "base64 -d " and "openssl pkcs12"

What could be the issue ? do have someone else this issue ?
the --debug option do not give any further information

Thank you for your help
Jean-Michel

-----------------------------------------

#LOGIN
mgmt_cli --user "MYuser" -p *** login
    uid: "9a4..MYuser..926"
    sid: "W9ZG.MYuser.-RNw"
    url: "https://127.0.0.1:443/web_api"
    session-timeout: 600
    last-login-was-at:
    posix: 1643972043061
    iso-8601: "2022-02-04T11:54+0100"
    api-server-version: "1.7.1"
    user-name: "MYuser"
    user-uid: "f1c..MYuser..e4"

#ADD certificate
mgmt_cli --session-id W9Z..MYuser..-RNw add server-certificate name "CertificateXX base64-certificate "MIIQ....ggA" base64-password "Qi...K=" comments "TESTING CERTIFICATE IMPORT"
    code: "err_server_certificate_operation_failed"
    message: "Failed to create HTTPS inbound certificate with error '-1'"

#LOGOUT
mgmt_cli --session-id "W9Z..MYuser..-RNw" logout

 

0 Kudos
7 Replies
HeikoAnkenbrand
MVP Platinum
MVP Platinum
‎2022-02-04 11:08 AM

I also had the problem and saw with tcpdump that fewer bytes were transferred than the length of the certificate. Unfortunately, this is only a guess, as you cannot see the real bytes in the https session. I would open a TAC Case.

Does the same work on the CLI in expert mode?

# mgmt_cli add server-certificate name "CertificateXX base64-certificate "MIIQ....ggA" base64-password "Qi...K=" comments "TESTING CERTIFICATE IMPORT" --format json

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Art_Zalenekas
Employee
Employee
‎2022-02-04 12:26 PM

I recall there was a problem with the API call and either the base64 cert or password was truncated. What JHF are you running? Must be at or above Take34. Best case here is to open a TAC ticket.

0 Kudos
pepj
Participant
‎2022-02-07 01:18 AM
In response to Art_Zalenekas

Hello

we have HOTFIX_R81_JUMBO_HF_MAIN Take: 44 

    I tried with REST-API,  with curl, with shell mgmt_cli and show console.   Alsways error =-1

    ( the badest was with show console were the certificate cannot be inserted ... seems too big for the console. 

PS: I opened a case to my vendor

Thank you for your feedback

Jean-Michel

0 Kudos
pepj
Participant
‎2022-02-11 12:41 AM
In response to pepj

Hi

solved 

in our enviroment the session-name and session description are a must ( otherwise command aborted )

   options "session-name" , "session-description"

and have rights to publish certificate ( otherwise the changes stay in the session indefinitly or aborted )

Thank you for your help

 

0 Kudos
JensBauernfeind
Explorer
‎2022-12-12 11:58 PM
In response to pepj

Hi pepj, can you explain this a little further please?

I currently have the same problem and already specified a session name and description via "set session", still receiving the error.

 

Thank you

0 Kudos
pepj
Participant
‎2022-12-15 04:35 AM
In response to JensBauernfeind

Hi

I filled "session-name" and "session-description" as defined by our security 

and 

created a special role only for only managing certificates and some needs:

desactivated all out of:

access control

  - access control and objects settings: write 

  - application control and url filtering : checked

threat prevention

 - permission setting: write

other: 

  - common objects write

 - checkpoint point userdatabase default write

 - https inspection : write

 - client certificate : checked

 monitor and logging

 - https inspection log : checked

management

 - management API : checked

endpoint

 - allow executing pushing operation

 

I hope this help

0 Kudos
Zolo
Collaborator
Collaborator
‎2025-05-21 10:12 AM
In response to pepj

My problem was simpler.
The password was incorrect with the same error message "Failed to create HTTPS certificate with error '-1'"

But I didn't notice it at first, it took me almost 2 hours to find it.
In the API docimentation the used password is: "bXlfcGFzc3dvcmQ="
$ echo bXlfcGFzc3dvcmQ= | base64 -d
my_password
$
$ echo "my_password" | base64
bXlfcGFzc3dvcmQK
$

$ echo bXlfcGFzc3dvcmQK | base64 -d
my_password

$
What happenning? After 2 hours I realized that there is an another <enter> after the password
$ echo bXlfcGFzc3dvcmQ= | base64 -d | hexdump -C
00000000 6d 79 5f 70 61 73 73 77 6f 72 64 |my_password|
0000000b
$
$ echo bXlfcGFzc3dvcmQK | base64 -d | hexdump -C
00000000 6d 79 5f 70 61 73 73 77 6f 72 64 0a |my_password.|
0000000c
$
There is a "0a" at the end.
So I had to remove the "0a"
$ echo -n "my_password" | base64
bXlfcGFzc3dvcmQ=
$
"bXlfcGFzc3dvcmQ="  same as in the documentation.

This could’ve been it: 'Hey, dummy, wrong password!'😁

Br,
Zolo




0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events