This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
tomasFuk
Explorer
‎2025-06-30 07:15 AM
Jump to solution

How to pair gateway with SMS?

I am writing automation scirpts where i collect some info from gateway via ssh (interfaces, routing etc...) and some info from sms via API (fw rules, nat rules etc). 

I didnt find a way yet how to 100% correctly pair gateway where i connect via ssh with "show-gateways-and-servers" api endpoint from sms. 

 

Ideal would be to compare SIC certificates, but from SMS i was  just able to get some shortened ones:
 

cp-2> cpca_client lscert -kind SIC
Operation succeeded. rc=0.
30 certs found.

Subject = CN=cp_mgmt,O=cp-2..5qabcd
Status = Valid Kind = SIC Serial = 3843 DP = 0
Not_Before: Mon Jun 24 11:34:04 2024 Not_After: Sun Jun 24 11:34:04 2029

Subject = CN=cp-vss,O=cp-2..5qabcd
Status = Revoked Kind = SIC Serial = 9159 DP = 0
Not_Before: Tue Jun 24 11:34:41 2025 Not_After: Mon Jun 24 11:34:41 2030

 

but i havent found any command which would show me full certificate. 

On GW itself i wasnt able to found any cli command to show SIC certificates. 

 

Is there some way how to show SIC cert on both sides? Or some other way how to pair gw with SMS? 

FYI, pairing via gateway name or ip adress is a no go as i already encountered situations where they were duplicated and/or didnt match

 

Thank you! 

0 Kudos
1 Solution

Accepted Solutions
Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-06-30 12:41 PM
In response to PhoneBoy
Jump to solution

Yes, it's $CPDIR/conf/sic_cert.p12. On my management:

[Expert@DallasSC]# cpca_client lscert -kind SIC -stat Valid
Operation succeeded. rc=0.
6 certs found.

Subject = CN=DallasticVS1,O=DallasSC.mylab.test.popnik
Status = Valid   Kind = SIC   Serial = 12159   DP = 0
Not_Before: Sat Jun  7 18:35:33 2025   Not_After: Sat Jun  8 18:35:33 2030

Subject = CN=DallasticXL,O=DallasSC.mylab.test.popnik
Status = Valid   Kind = SIC   Serial = 89094   DP = 0
Not_Before: Sat Jun  7 18:17:01 2025   Not_After: Sat Jun  8 18:17:01 2030
...

And on one of my VSNext members:

[Expert@DallasticXL-s01-01:0]# cpopenssl pkcs12 -passin "pass:vpn123" -nomacver -nokeys -in $CPDIR/CTX/CTX00001/conf/sic_cert.p12 | cpopenssl x509 -text | egrep "(Subject|Serial Number):"
        Serial Number: 12159 (0x2f7f)
        Subject: O = DallasSC.mylab.test.popnik, CN = DallasticVS1

[Expert@DallasticXL-s01-01:0]# cpopenssl pkcs12 -passin "pass:vpn123" -nomacver -nokeys -in $CPDIR/conf/sic_cert.p12 | cpopenssl x509 -text | egrep "(Subject|Serial Number):"
        Serial Number: 89094 (0x15c06)
        Subject: O = DallasSC.mylab.test.popnik, CN = DallasticXL

You can see the subjects match exactly (though you have to interpret the DN), as do the serial numbers.

View solution in original post

(1)
5 Replies
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2025-06-30 09:34 AM
Jump to solution

In the Security Gateway check the $FWDIR/conf/masters file: This file should contain the correct name or IP address of the Security Management Server or Domain Management Server.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-30 09:48 AM
Jump to solution

I believe even on gateways, the actual cert used for SIC is in $CPDIR/conf.

Bob_Zimmerman
MVP Gold
MVP Gold
‎2025-06-30 12:41 PM
In response to PhoneBoy
Jump to solution

Yes, it's $CPDIR/conf/sic_cert.p12. On my management:

[Expert@DallasSC]# cpca_client lscert -kind SIC -stat Valid
Operation succeeded. rc=0.
6 certs found.

Subject = CN=DallasticVS1,O=DallasSC.mylab.test.popnik
Status = Valid   Kind = SIC   Serial = 12159   DP = 0
Not_Before: Sat Jun  7 18:35:33 2025   Not_After: Sat Jun  8 18:35:33 2030

Subject = CN=DallasticXL,O=DallasSC.mylab.test.popnik
Status = Valid   Kind = SIC   Serial = 89094   DP = 0
Not_Before: Sat Jun  7 18:17:01 2025   Not_After: Sat Jun  8 18:17:01 2030
...

And on one of my VSNext members:

[Expert@DallasticXL-s01-01:0]# cpopenssl pkcs12 -passin "pass:vpn123" -nomacver -nokeys -in $CPDIR/CTX/CTX00001/conf/sic_cert.p12 | cpopenssl x509 -text | egrep "(Subject|Serial Number):"
        Serial Number: 12159 (0x2f7f)
        Subject: O = DallasSC.mylab.test.popnik, CN = DallasticVS1

[Expert@DallasticXL-s01-01:0]# cpopenssl pkcs12 -passin "pass:vpn123" -nomacver -nokeys -in $CPDIR/conf/sic_cert.p12 | cpopenssl x509 -text | egrep "(Subject|Serial Number):"
        Serial Number: 89094 (0x15c06)
        Subject: O = DallasSC.mylab.test.popnik, CN = DallasticXL

You can see the subjects match exactly (though you have to interpret the DN), as do the serial numbers.

(1)
tomasFuk
Explorer
‎2025-06-30 11:24 PM
In response to Bob_Zimmerman
Jump to solution

thanks, exactly what i need! 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-30 12:51 PM
Jump to solution

Yes, its definitely sic_cert.p12 in $CPDIR/conf dir

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events