This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Durin
Contributor
‎2020-07-06 04:04 AM

Find out if fingerprint has changed on LDAPS server

Hi,

 

I am looking for a way to find out if the fingerprint on an LDAPS server has changed (an LDAP account unit).

Currently when the fingerprint is changed authentication stops working since the management server notices that the fingerprint has changed and one have to manually fetch and install the gateways so it reflects the new changes.

So i am looking for a way to detect this, for example where can i find the current fingerprint so i can compare ?

Management server is running R80.30

Thanks in advance

 

0 Kudos
8 Replies
Dor_Marcovitch
Advisor
‎2020-09-24 02:59 AM

you can try to connect to the DC and check if it has a "new" certificate issued to it

cpopenssl s_client -connect <IP>:636

if you have some other monitoring systems, then you can raise an event on the DC by monitoring the event log to see if a new certificate was enrolled

i am also looking for a solution for next re-authentication, not sure why CP uses the server's fingerprint and not just relaying on the PKI infrastructure

0 Kudos
JozkoMrkvicka
Leader
Leader
‎2022-02-11 11:23 AM
In response to Dor_Marcovitch

The certificate on the LDAP has to be changed by someone - it is not done automatically. Someone responsible for LDAP should (or have to ?) inform all consumers (firewall team) that the certificate is going to be changed.

Kind regards,
Jozko Mrkvicka
Durin
Contributor
‎2022-02-12 09:31 AM
In response to JozkoMrkvicka

Yes that is if routines is working as it should. But in a larger enterprise it can be a challenge.

Dor_Marcovitch
Advisor
‎2022-02-12 09:38 AM
In response to JozkoMrkvicka

If the ca is an enterprise ca and the dc has permissions this procedure happanes automaticly with auto enrollment. 

I still dont understand why they are using certificate pinning and not just trusting a root ca as pki is designed to.work.

Roman_Niewiado1
Contributor
‎2020-09-24 05:05 AM

You can also let the fingerprint field empty. Then it doesn´t matter, if the fingerprint changes.

Dor_Marcovitch
Advisor
‎2020-09-24 05:29 AM
In response to Roman_Niewiado1

and if i remove the fingerprint, does the FW perform validity checks on the certificate ? 

if the CA is an internal CA.. where do i put it's certificate to be trusted?

0 Kudos
XBensemhoun
Employee
Employee
‎2022-02-11 10:19 AM

The way to do so is:

cpopenssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | cpopenssl x509 -fingerprint -md5 -noout -in /dev/stdin

(found here and just adapted to cpopenssl) 

Information Security enthusiast, CISSP, CCSP
0 Kudos
David_Charnon
Advisor
‎2022-02-12 01:17 PM
In response to XBensemhoun

You can also use the "test_ad_connectivity" command (at least in R80.40, I assume it is available in R80.30). Details are in the Identity Awareness Administration Guide in the Command Line Reference section. You can specify the fingerprint in the test. I used this to verify which DCs in our environment had different fingerprints than what I had configured in SmartConsole.

Dave