Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thomas_Eichelbu
Advisor
Advisor

How to check for expired third party certificates?

Hello Check Mates, 

 

Question:
How to check for expired third party certificates via CLI/API whatever?
We have a bunch of third party certificates installed, on various gateways and portals, but how to check them?

internal certificates, yes this is not an issue.
but SK sk104400 says:

[Expert@provider:0]# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020
--------------------

The expiration date is shown as 'Not_After: Tue Jan 14 14:19:02 2020' for this VPN Certificate.

Note: this command output has only Internal CA certificates, external CA certificates will not be shown.

so " external CA certificates will not be shown" and where can i see them?
I also dont see them on CA management WebUI

Is there a way to see them on CLI/API?

Dealing with certificates on Check Point platform is never an easy thing and all GUI elements in this regard look very old school.
just follow this thread
https://community.checkpoint.com/t5/General-Topics/Renew-external-3rd-party-certificate-for-IPSEC-VP...

maybe you guys have a trick ready!

Thank you

0 Kudos
9 Replies
PhoneBoy
Admin
Admin

The relevant objects do not have official API endpoints at present.
Even using generic-object APIs, I'm not seeing the information you're after.
As an example, I created a third party CA for LetsEncrypt in SmartConsole that I named... "LetsEncrypt"
To get the UID of this object, you can execute the following from the CLI of your management: mgmt_cli -r true show-generic-objects name "LetsEncrypt" --format json

Now, you can use show-generic-object: mgmt_cli -r true show-generic-object uid 22eceb6d-cdbe-4c90-a9d2-edcb3b0cc101 --format json

Unfortunately, the output doesn't appear to include anything about the expiration date:

 

{
  "domainsPreset" : null,
  "objectValidationState" : null,
  "dynamicContent" : {
    "objId" : "00000000-0000-0000-0000-000000000000",
    "checkPointObjId" : null,
    "domainsPreset" : null,
    "domainId" : null,
    "status" : "CALCULATING",
    "content" : { },
    "modified" : false,
    "folderPath" : null,
    "text" : null,
    "folder" : null,
    "is_owned" : false
  },
  "color" : "BLACK",
  "crlHttp" : true,
  "cacertsignkey" : "1b6233df938c3c129d438fcc",
  "ocspValidation" : false,
  "crlCacheTimeout" : 86400,
  "permissionsStrings" : [ ],
  "cacertificate" : "",
  "crlLdap" : false,
  "crlCacheType" : "TIMEOUT",
  "dn" : "CN=ISRG Root X1,O=Internet Security Research Group,C=US",
  "useAutoEnrollment" : false,
  "type" : "ca",
  "automaticEnrollmentProtocol" : null,
  "ocspServers" : [ ],
  "caType" : "OPSEC_PKI",
  "useCnToFetchUser" : false,
  "additionalCaSignKeys" : [ ],
  "permissionsType" : "NONE",
  "usePrincipalName" : false,
  "uid" : "22eceb6d-cdbe-4c90-a9d2-edcb3b0cc101",
  "folder" : {
    "uid" : "5c321c20-24b4-4c3f-aab7-cbc490d74dfd",
    "name" : "Global Objects"
  },
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User"
  },
  "meta-info" : {
    "metaOwned" : false,
    "lockStateResponse" : null,
    "validationState" : "OK",
    "deletable" : true,
    "renameable" : true,
    "newObject" : false,
    "lastModifytime" : 1694633588103,
    "lastModifier" : "phoneboy",
    "creationTime" : 1694633588103,
    "creator" : "phoneboy"
  },
  "tags" : [ ],
  "name" : "LetsEncrypt",
  "icon" : "Objects/account_unit",
  "comments" : "",
  "display-name" : "",
  "customFields" : [ ],
  "_original_type" : "TrustedOpsecCaServer"
}

 

Not sure if there's another way to get this information short of SmartConsole.

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello, 

yes this works ... i can find this object ...  "ssl_cert"

 

10.png

 

[Expert@XXXXXXXXX:0]# mgmt_cli -r true show-generic-objects name "ssl_cert" --format json
{
"objects" : [ {
"uid" : "88d6f1f4-0806-4298-81eb-d660413962d4",
"name" : "ssl_cert",
"type" : "TrustedOpsecCaServer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
}
} ],
"from" : 1,
"to" : 1,
"total" : 1
}

but iam talking about this certificates "savpn.XXXX"

 

11.png

 



 

0 Kudos
PhoneBoy
Admin
Admin

The only way you can even see those certificates is by looking at the gateway through the generic-object API.
Something like: mgmt_cli -r true show generic-object uid "8414a95f-8f3d-5442-9944-9877f964d08e" --format json | jq ".certificates[]"

Possible that may lead you somewhere on your system.

0 Kudos
the_rock
Legend
Legend

Maybe below?

[Expert@QUANTUM-MANAGEMENT:0]# cpca_client lscert -stat Expired
Operation succeeded. rc=0.
0 certs found.

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuid...

Thomas_Eichelbu
Advisor
Advisor

Hello, 

well if the certificate is expired, it is already too late ... i want to check for certificate which will expire in the near future.
also this command shows ONLY internal Check Point certificate from its own CA.
But on many CP installations, a lot of third party certificates are installed for Platform Portal, User Check, HTTPS Inspection, IA Blade and Third Party IPSec certificates.

 

(1)
the_rock
Legend
Legend

Ok, once I re-read your post, I sort of figured thats what you were looking for, so accept my apologies, command I gave you is really, well useless lol

Anyway, that would be great if you find out the command, as I agree, it would be nice to see ones soon expiring, specially the 3rd party certs.

Did you open TAC case about it or not yet?

Andy

0 Kudos
Thomas_Eichelbu
Advisor
Advisor

Hello, 

yes a TAC case has been opened, lets see what TAC can find out.
I fear a RFE would be required to realize an reasonable way to check for third party certificates.

 

0 Kudos
the_rock
Legend
Legend

I agree, thats most likely what they will tell you.

Andy

0 Kudos
the_rock
Legend
Legend

Since this is really bugging me and Im very persistant dude, Im trying to make a script that would show this. So far, no luck, but Im not giving up 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events