This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Daniel_
Contributor
‎2020-03-02 01:57 PM
Jump to solution

Third Parties Certificate details

Hi There,

cpca_client lscert will list only the details of internal certificates, just wonder if anyone out there aware of a CLI command -or API call- to get the details for any third party used certificate on the SMS.

We were caught of a certificate expiring -causing impact on remote users, which we're trying to avoid by creating a cron job -or something similar- to alert us, but first we need to get the command to extract the information.

Many thanks as always

 

 

 

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Mentor
Mentor
‎2020-03-13 06:54 AM
In response to PhoneBoy
Jump to solution

fwm printcert -ca <CA_NAME>

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2020-03-02 05:43 PM
Jump to solution

Doesn't appear to be API support for this, and I'm not aware of any way to pull this over the CLI.
Might be an RFE.
@Eran_Habad 

0 Kudos
_Val_
Admin
Admin
‎2020-03-03 12:09 AM
Jump to solution

API commands for user management are still on the roadmap.

However, 

 echo -e "query users\n-q\n" |dbedit -local

with some additional greps should do the trick

0 Kudos
_Daniel_
Contributor
‎2020-03-03 07:45 PM
In response to _Val_
Jump to solution

Thanks both,

Though not after the user details in particular rather the third party certificate's details installed on the gateway for remote users connecting to.

Will keep a close eye

Cheers

0 Kudos
_Val_
Admin
Admin
‎2020-03-03 11:26 PM
In response to _Daniel_
Jump to solution

Even easier, you can query GW with HTTPS on SSL portal and script certificate expiration retrieval. 

0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2020-03-04 05:44 AM
Jump to solution

From management where gateway/cluster is managed:

fwm printcert -obj <MANAGED_GATEWAY_NAME>

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-04 04:00 PM
In response to JozkoMrkvicka
Jump to solution

Pretty sure that doesn't work for OPSEC CAs.
It returned an empty result on my R80.40 Manager where I have at least one OPSEC CA configured.
0 Kudos
JozkoMrkvicka
Mentor
Mentor
‎2020-03-13 06:54 AM
In response to PhoneBoy
Jump to solution

fwm printcert -ca <CA_NAME>

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-13 03:40 PM
In response to JozkoMrkvicka
Jump to solution

Sure enough that works.

[Expert@R8040Mgmt:0]# fwm printcert -ca testca
Subject: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Issuer: CN=ISRG Root X1,O=Internet Security Research Group,C=US
Not Valid Before: Thu Jun  4 04:04:38 2015 Local Time
Not Valid After:  Mon Jun  4 04:04:38 2035 Local Time
Serial No.:  008210cfb0d240e3594463e0bb63828b00
Public Key: RSA (4096 bits)
Signature: RSA with SHA256
Key Usage:
        keyCertSign
        cRLSign
Basic Constraint:
        is CA
MD5 Fingerprint:
   0C:D2:F9:E0:DA:17:73:E9:ED:86:4D:A5:E3:70:E7:4E
SHA-1 Fingerprints:
1. CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8
2. OWNS TERM INCA TOY DRAM HAL ULAN TENT AQUA COST LINT RENT

Nice work 🙂

0 Kudos
_Daniel_
Contributor
‎2020-03-15 12:47 PM
In response to JozkoMrkvicka
Jump to solution

Thanks Jozko,

This command perfectly lists the CA details, not though the certificate(s) generated -and assigned to a particular gateway- by this CA itself.

I've tried another flavor of it:  fwm printcert -obj <gateway>-cert <cert nickname> but didn't list the details we're after, rather it listed the certificate generated by the internal CA. Adding or removing the -cert option didn't make any difference in our case

 

Wish this command got an option as below:

fwm printcert -ca <3rd party CA> -cert <cert nickname>

 

But I still think, if the GUI can list the details, then there should be a CLI command to do it as well... I'm still digging 😉

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events