Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

Third Parties Certificate details

Jump to solution

Hi There,

cpca_client lscert will list only the details of internal certificates, just wonder if anyone out there aware of a CLI command -or API call- to get the details for any third party used certificate on the SMS.

We were caught of a certificate expiring -causing impact on remote users, which we're trying to avoid by creating a cron job -or something similar- to alert us, but first we need to get the command to extract the information.

Many thanks as always

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Highlighted

fwm printcert -ca <CA_NAME>

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
9 Replies
Highlighted
Admin
Admin

Doesn't appear to be API support for this, and I'm not aware of any way to pull this over the CLI.
Might be an RFE.
@Eran_Habad 

0 Kudos
Highlighted
Admin
Admin

API commands for user management are still on the roadmap.

However, 

 echo -e "query users\n-q\n" |dbedit -local

with some additional greps should do the trick

0 Kudos
Highlighted
Contributor

Thanks both,

Though not after the user details in particular rather the third party certificate's details installed on the gateway for remote users connecting to.

Will keep a close eye

Cheers

0 Kudos
Highlighted
Admin
Admin

Even easier, you can query GW with HTTPS on SSL portal and script certificate expiration retrieval. 

0 Kudos
Highlighted

From management where gateway/cluster is managed:

fwm printcert -obj <MANAGED_GATEWAY_NAME>

Kind regards,
Jozko Mrkvicka
0 Kudos
Highlighted
Admin
Admin
Pretty sure that doesn't work for OPSEC CAs.
It returned an empty result on my R80.40 Manager where I have at least one OPSEC CA configured.
0 Kudos
Highlighted

fwm printcert -ca <CA_NAME>

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
Highlighted
Admin
Admin

Sure enough that works.

[Expert@R8040Mgmt:0]# fwm printcert -ca testca
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Not Valid Before: Thu Jun  4 04:04:38 2015 Local Time
Not Valid After:  Mon Jun  4 04:04:38 2035 Local Time
Serial No.:  008210cfb0d240e3594463e0bb63828b00
Public Key: RSA (4096 bits)
Signature: RSA with SHA256
Key Usage:
        keyCertSign
        cRLSign
Basic Constraint:
        is CA
MD5 Fingerprint:
   0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
SHA-1 Fingerprints:
1. CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
2. OWNS TERM INCA TOY DRAM HAL ULAN TENT AQUA COST LINT RENT

Nice work 🙂

0 Kudos
Highlighted
Contributor

Thanks Jozko,

This command perfectly lists the CA details, not though the certificate(s) generated -and assigned to a particular gateway- by this CA itself.

I've tried another flavor of it:  fwm printcert -obj <gateway>-cert <cert nickname> but didn't list the details we're after, rather it listed the certificate generated by the internal CA. Adding or removing the -cert option didn't make any difference in our case

 

Wish this command got an option as below:

fwm printcert -ca <3rd party CA> -cert <cert nickname>

 

But I still think, if the GUI can list the details, then there should be a CLI command to do it as well... I'm still digging 😉

0 Kudos