Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
pepj
Participant

add server-certificates failed (API and mgmt_cli)

Hello
R81, API 1.7.1
add server-certificates  for HPPTS-Inspection failed when using API , mgmt_cli or Web Service.
It functions only manually using the dashboard.
( on console not possible because the certificate p12 in base64 is too big for the console)

I always receive "Failed to create HTTPS inbound certificate with error -1"

as basic command used ( also with other user mgmt_cli --user .... )
mgmt_cli -r true add server-certificate name "NameCertificate" base64-certificate "MIIQEAIB...5489characters....ggA" base64-password "password_format_base64" comments "TESTING CERTIFICATE IMPORT"

What I did for converting and testing the formatted base64 certificate
  converted to base64 using #base64 ...file.p12 > certificate_p12_formatbase64
  tested way back using "base64 -d " and "openssl pkcs12"

What could be the issue ? do have someone else this issue ?
the --debug option do not give any further information

Thank you for your help
Jean-Michel

-----------------------------------------

#LOGIN
mgmt_cli --user "MYuser" -p *** login
    uid: "9a4..MYuser..926"
    sid: "W9ZG.MYuser.-RNw"
    url: "https://127.0.0.1:443/web_api"
    session-timeout: 600
    last-login-was-at:
    posix: 1643972043061
    iso-8601: "2022-02-04T11:54+0100"
    api-server-version: "1.7.1"
    user-name: "MYuser"
    user-uid: "f1c..MYuser..e4"

#ADD certificate
mgmt_cli --session-id W9Z..MYuser..-RNw add server-certificate name "CertificateXX base64-certificate "MIIQ....ggA" base64-password "Qi...K=" comments "TESTING CERTIFICATE IMPORT"
    code: "err_server_certificate_operation_failed"
    message: "Failed to create HTTPS inbound certificate with error '-1'"

#LOGOUT
mgmt_cli --session-id "W9Z..MYuser..-RNw" logout

 

0 Kudos
6 Replies
HeikoAnkenbrand
Champion Champion
Champion

I also had the problem and saw with tcpdump that fewer bytes were transferred than the length of the certificate. Unfortunately, this is only a guess, as you cannot see the real bytes in the https session. I would open a TAC Case.

Does the same work on the CLI in expert mode?

# mgmt_cli add server-certificate name "CertificateXX base64-certificate "MIIQ....ggA" base64-password "Qi...K=" comments "TESTING CERTIFICATE IMPORT" --format json

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
Art_Zalenekas
Employee
Employee

I recall there was a problem with the API call and either the base64 cert or password was truncated. What JHF are you running? Must be at or above Take34. Best case here is to open a TAC ticket.

0 Kudos
pepj
Participant

Hello

we have HOTFIX_R81_JUMBO_HF_MAIN Take: 44 

    I tried with REST-API,  with curl, with shell mgmt_cli and show console.   Alsways error =-1

    ( the badest was with show console were the certificate cannot be inserted ... seems too big for the console. 

PS: I opened a case to my vendor

Thank you for your feedback

Jean-Michel

0 Kudos
pepj
Participant

Hi

solved 

in our enviroment the session-name and session description are a must ( otherwise command aborted )

   options "session-name" , "session-description"

and have rights to publish certificate ( otherwise the changes stay in the session indefinitly or aborted )

Thank you for your help

 

0 Kudos
Jens_Bauernfein
Explorer

Hi pepj, can you explain this a little further please?

I currently have the same problem and already specified a session name and description via "set session", still receiving the error.

 

Thank you

0 Kudos
pepj
Participant

Hi

I filled "session-name" and "session-description" as defined by our security 

and 

created a special role only for only managing certificates and some needs:

desactivated all out of:

access control

  - access control and objects settings: write 

  - application control and url filtering : checked

threat prevention

 - permission setting: write

other: 

  - common objects write

 - checkpoint point userdatabase default write

 - https inspection : write

 - client certificate : checked

 monitor and logging

 - https inspection log : checked

management

 - management API : checked

endpoint

 - allow executing pushing operation

 

I hope this help

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events