cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Certificate Renewal - how is this task processed - Reporting options required

Hello,

Can someone help me to check the certificates installed on Check Point appliances?. I have two requirements, need to check whether these appliance/gateways are installed valid certificate for WebUI and SSH access and what is the validity and expiry date and who provided the certificate (ether ICA or third-party certificate authority)

Any update on this is greatly appreciated

Thanks in advance

Thanks,

Somasekharan

Tags (1)
0 Kudos
5 Replies
Admin
Admin

Re: Certificate Renewal - how is this task processed - Reporting options required

Moving to Appliances and Gaia

Every time you connect to one of the web portals, the public certificate of that portal should be offered.

This is how TLS works.

I suppose you could use something like the following to programmatically evaluate the various portals: Proactively Handling Certificate Expiration With ssl-cert-check -- Prefetch Technologies 

SSH keys are not issued by a certificate authority.

They are almost always internally generated and do not have an expiration date.

0 Kudos

Re: Certificate Renewal - how is this task processed - Reporting options required

Thank you for your response

0 Kudos
XBensemhoun
Silver

Re: Certificate Renewal - how is this task processed - Reporting options required

If you need to check all certificates expiration, you may check also the ones which are used to establish IPSec tunnels. By default they are generated for 5 years ... if some of your Security Gateways have to be in place approx this time, you should pay attention to that expiration : if expired, you will not be able to establish VPN IPSec tunnel.

I use the following command on the Security Management Server:

cpca_client lscert -kind IKE -stat Valid > /var/ValidIKECert_`/bin/date +%Y-%m-%d_%H%M`.txt

More details on cpca_client lscert command (from Command Line Interface Reference Guide of R77😞
Description Show all certificates issued by the ICA.
Syntax

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}]

[-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter Description
-d Runs the command in debug mode
-dn substring Filters results to those with a DN that matches this <substring>
-stat Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed
-kind Filters results for specified kind: SIC, IKE, User, or LDAP
-ser <serial> Filters results for this serial number
-dp <dp> Filters results from this CDP (certificate distribution point)

The content of the file generated should be something like:

which could be transform to:

... in order to be imported in any spreadsheet software.

0 Kudos

Re: Certificate Renewal - how is this task processed - Reporting options required

Thank you for your input

Re: Certificate Renewal - how is this task processed - Reporting options required

Thank you all for your feedback. I will go through your comments.

If we have the certificate from the internal Certificate authority for For the administrative access (via ssh, WEB-UI) on the security components, hope the same can be pushed to use laptop using Group Policy.

My organization is asking for the certificate for administrative access (via ssh, WEB-UI) on the security components.

0 Kudos