This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Daniel_Kavan
MVP Gold
MVP Gold
‎2024-11-19 12:53 PM
Jump to solution

teapi

Hi all,

So, we are trying to connect to the teapi and getting an error on our self-signed certificate is not trusted.

Where do I export my manager's certificate & how can I code this (python) so it is trusted rather than ignored?

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2024-11-21 09:05 AM
In response to Daniel_Kavan
Jump to solution

At least for fresh installs of recent versions (e.g. R81.20), the CA should be valid until end of 2037.
You can verify this by viewing the internal_ca object (under Servers > Trusted CA in the Objects Explorer).

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2024-11-20 07:17 AM
Jump to solution

It's not the certificate necessarily, it's the Certificate Authority (which is presumably the ICA).
You might need to use the ICA Management Tool to get it: https://support.checkpoint.com/results/sk/sk30501 

Coding acceptance of this in Python is a separate question.

Daniel_Kavan
MVP Gold
MVP Gold
‎2024-11-20 11:04 AM
In response to PhoneBoy
Jump to solution

The developers would prefer to use a wildcard certificate rather than use the CA, becuase they think it will be more of a security risk and harder to manage changes.   Is there a way to use my gateway's certificate (signed), https://hostname.my.domain:18194/teapi/etc and force the api to use it instead of the ica reference to my manager?

PhoneBoy
Admin
Admin
‎2024-11-20 04:03 PM
In response to Daniel_Kavan
Jump to solution

It appears the teapi leverages UserCheck, which has a portal certificate you can replace.
See: https://support.checkpoint.com/results/sk/sk113599 

Daniel_Kavan
MVP Gold
MVP Gold
‎2024-11-21 06:05 AM
In response to PhoneBoy
Jump to solution

Isn't usercheck exclusively for browser connectivity vs a python script to 18194?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-21 08:46 AM
In response to Daniel_Kavan
Jump to solution

That makes more sense as UserCheck is used for the "user facing" parts of Threat Emulation/Extraction.
The SK I linked suggests that the relevant Internal CA is what you need to trust as that's how it is configured in SmartEndpoint.
Don't believe there is a supported way to change the API endpoint certificate.

Daniel_Kavan
MVP Gold
MVP Gold
‎2024-11-21 08:48 AM
In response to PhoneBoy
Jump to solution

I agree, that I need to trust the ICA.   Does that change every year now?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-11-21 09:05 AM
In response to Daniel_Kavan
Jump to solution

At least for fresh installs of recent versions (e.g. R81.20), the CA should be valid until end of 2037.
You can verify this by viewing the internal_ca object (under Servers > Trusted CA in the Objects Explorer).

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events