Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Durin
Contributor

Find out if fingerprint has changed on LDAPS server

Hi,

 

I am looking for a way to find out if the fingerprint on an LDAPS server has changed (an LDAP account unit).

Currently when the fingerprint is changed authentication stops working since the management server notices that the fingerprint has changed and one have to manually fetch and install the gateways so it reflects the new changes.

So i am looking for a way to detect this, for example where can i find the current fingerprint so i can compare ?

Management server is running R80.30

Thanks in advance

/Rickard

0 Kudos
3 Replies
Dor_Marcovitch
Advisor

you can try to connect to the DC and check if it has a "new" certificate issued to it

cpopenssl s_client -connect <IP>:636

if you have some other monitoring systems, then you can raise an event on the DC by monitoring the event log to see if a new certificate was enrolled

i am also looking for a solution for next re-authentication, not sure why CP uses the server's fingerprint and not just relaying on the PKI infrastructure

0 Kudos
Roman_Niewiado1
Contributor

You can also let the fingerprint field empty. Then it doesn´t matter, if the fingerprint changes.

Dor_Marcovitch
Advisor

and if i remove the fingerprint, does the FW perform validity checks on the certificate ? 

if the CA is an internal CA.. where do i put it's certificate to be trusted?

0 Kudos