Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Durin
Contributor

Find out if fingerprint has changed on LDAPS server

Hi,

 

I am looking for a way to find out if the fingerprint on an LDAPS server has changed (an LDAP account unit).

Currently when the fingerprint is changed authentication stops working since the management server notices that the fingerprint has changed and one have to manually fetch and install the gateways so it reflects the new changes.

So i am looking for a way to detect this, for example where can i find the current fingerprint so i can compare ?

Management server is running R80.30

Thanks in advance

 

0 Kudos
8 Replies
Dor_Marcovitch
Advisor

you can try to connect to the DC and check if it has a "new" certificate issued to it

cpopenssl s_client -connect <IP>:636

if you have some other monitoring systems, then you can raise an event on the DC by monitoring the event log to see if a new certificate was enrolled

i am also looking for a solution for next re-authentication, not sure why CP uses the server's fingerprint and not just relaying on the PKI infrastructure

0 Kudos
JozkoMrkvicka
Mentor
Mentor

The certificate on the LDAP has to be changed by someone - it is not done automatically. Someone responsible for LDAP should (or have to ?) inform all consumers (firewall team) that the certificate is going to be changed.

Kind regards,
Jozko Mrkvicka
Durin
Contributor

Yes that is if routines is working as it should. But in a larger enterprise it can be a challenge.

Dor_Marcovitch
Advisor

If the ca is an enterprise ca and the dc has permissions this procedure happanes automaticly with auto enrollment. 

I still dont understand why they are using certificate pinning and not just trusting a root ca as pki is designed to.work.

Roman_Niewiado1
Contributor

You can also let the fingerprint field empty. Then it doesn´t matter, if the fingerprint changes.

Dor_Marcovitch
Advisor

and if i remove the fingerprint, does the FW perform validity checks on the certificate ? 

if the CA is an internal CA.. where do i put it's certificate to be trusted?

0 Kudos
XBensemhoun
Employee
Employee

The way to do so is:

cpopenssl s_client -connect <host>:<port> < /dev/null 2>/dev/null | cpopenssl x509 -fingerprint -md5 -noout -in /dev/stdin

(found here and just adapted to cpopenssl) 

Information Security enthusiast, CISSP, CCSP
0 Kudos
David_Charnon
Advisor

You can also use the "test_ad_connectivity" command (at least in R80.40, I assume it is available in R80.30). Details are in the Identity Awareness Administration Guide in the Command Line Reference section. You can specify the fingerprint in the test. I used this to verify which DCs in our environment had different fingerprints than what I had configured in SmartConsole.

Dave