Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bistro
Explorer
Jump to solution

auto renew certificate fingerprint

an outage occurred with users being unable to connect via Check Point Mobile which was resolved it by re-fetching the domain controller fingerprints in the LDAP settings. My question is to avoid this issue occurring every year as the certificate renews yearly

- Can Check Point Auto Renew/Pull the certificate fingerprint?

- Can Check Point Warn of alert before expiry to allow for planning / proactive action?

0 Kudos
1 Solution

Accepted Solutions
JozkoMrkvicka
Mentor
Mentor

Or, even more simply: Coordinate with LDAP responsible admins to inform Check Point firewall guys and coordinate change of certificate together (task in the change ticket).

Kind regards,
Jozko Mrkvicka

View solution in original post

0 Kudos
9 Replies
the_rock
Legend
Legend

I dont believe it can auto renew, but I saw a post indicating it now gives 60 day warning before its supposed to expire, though thats starting with R81.20.

Andy

0 Kudos
PhoneBoy
Admin
Admin

I believe you can remove the fingerprint in the LDAP Server definition, which will skip this check.
Unfortunately, there is no way to automatically update the fingerprint.

JozkoMrkvicka
Mentor
Mentor

yes, the fingerprint can be left empty. The gateway will accept any fingerprint presented by LDAP/AD. That might be security violation, since there is no way of checking.

Kind regards,
Jozko Mrkvicka
PhoneBoy
Admin
Admin

That is correct.
As I said, there's no way to automatically check or update the fingerprint.
Pretty certain LDAP Server objects do not have API support either (though maybe you can update via generic-object calls).

0 Kudos
JozkoMrkvicka
Mentor
Mentor

API is out of game here, but there must be a way how CP is able to figure out if fingerprint matches or not. Maybe some command like "fwm fingerprint" can be used to check fingerprint from LDAP. If there is some easy way, then some linux bash script can be created (for example to send a mail if fingerprint is changed on LDAP side)

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

The public key is communicated on first connection with the LDAP server as part of the initial TLS negotiation.
Which means you should be able to employ a technique like the following to obtain the fingerprint: https://askubuntu.com/questions/156620/how-to-verify-the-ssl-fingerprint-by-command-line-wget-curl 
(The Check Point binary for openssl is called cpopenssl)
Or, maybe more simply: see if the certificate has changed.

0 Kudos
JozkoMrkvicka
Mentor
Mentor

Or, even more simply: Coordinate with LDAP responsible admins to inform Check Point firewall guys and coordinate change of certificate together (task in the change ticket).

Kind regards,
Jozko Mrkvicka
0 Kudos
PhoneBoy
Admin
Admin

Ideally, this is probably the best approach.
Absent that, this points to a way this can be detected in a semi-automated fashion.

0 Kudos
Hugo_vd_Kooij
Advisor

Microsoft will do this at it's own convinience sometimes after reaching 80% of it's life time. Preferably friday evening so it will take the longest time to get "resolved".

We have several customer that align with us to do this on a scheduled maintenance window for this particular activity. (Usually right after lunch.)

But the akward thing is that there is now design to validate new certificates based on their CA inside Check Point. Like someone still klings to the old putkey methods for this particular feature and CA's are not to be trusted.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events