This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Whoopy
Participant
‎2022-12-07 12:22 AM
Jump to solution

"unknown" certificate on management server

Hi everyone,

I recently checked the sic certificates on our management server with “cpca_client lscert -stat Valid -kind SIC” and noticed an unknown certificate. The certificate name is the name of our management server and it’s not used for the internal ca or for anything else – or I couldn’t find it which might be the case.

I’ve checked sk20905 and sk43783 but I don’t think, they can be applied here. Furthermore I’ve checked every p12 on the server but none of those I’ve found, is the unknown certificate.

And running sicRenew –d ( sk43783 ) on a cloned vm in my testlab didn’t renew this certificate. I  only renewed the “CN=cp_mgmt” certificate.

I tried “cpca_client create_cert -n "CN=CN=CP-FW-Mgmt.company.de" -f $CPDIR/conf/test_cert.p12” and this did create a new certificate but I’m unsure, if this is the correct way to renew this certificate.

Management server and both gateways are on R80.40 Take 180.

Is this certificate even needed ? And if so, how can I renew it ?

Many thanks for your help!

cp_certificate.png
Preview file
150 KB
0 Kudos
1 Solution

Accepted Solutions
Whoopy
Participant
‎2022-12-09 01:24 AM
In response to the_rock
Jump to solution

You guys are the best @PhoneBoy, @the_rock, @_Val_ ! Enabling ICA mgmt tool put me in the right path.

I followed the sk30501 for settings up access to the ICA  but I couldn't access the ICA site although cpca_client set_mgmt_tool print showed that access was enabled and port 18265 was listening.

After some troubleshooting I found the solution for both problems in sk39915 in the notes section. Apparently the private key file was now longer valid or get corrupted as a result of the upgrade process. After running the next commands:

  • Rename the current private key file $FWDIR/state/InternalCA_site.p12:

    [Expert@HostName]# mv  $FWDIR/state/InternalCA_site.p12  $FWDIR/state/InternalCA_site.p12_ORIGINAL

  • Disable the ICA Management Tool:

    [Expert@HostName]# cpca_client set_mgmt_tool off

  • Enable the ICA Management Tool:

    [Expert@HostName]# cpca_client set_mgmt_tool on 

  • Check if the new private key file was created:

    [Expert@HostName]# ls -l $FWDIR/state/InternalCA_site.p12

 

I was able to access the ICA management site. I wanted to find the certificate a bit easier using the serial number and  ran cpca_client another time. To my surprise the expiring certificate was replaced by a new one. Success !

I added of few more screenshots if someone else is running into this issue. What I noticed is that the internalca_site.p12 file contains different certificates than I did expect. And apparently there is now a new internal_ca certificate ( expiring in 2038 ) and it is different to the internal_ca certificate shown in smart console.

I did some tests and everything seems to work. Thus I'm hopping there not a new problem now.

Anyway, many thanks again for your help!

 

 

View solution in original post

internal_ca_certificate.jpg
Preview file
197 KB
cpca_client.png
Preview file
321 KB
ICA old certificate.png
Preview file
294 KB
ICA new certificate.png
Preview file
359 KB
11 Replies
_Val_
Admin
Admin
‎2022-12-08 04:43 AM
Jump to solution

Could it be that you are having a VPN to another company, with certificate authentication?

0 Kudos
the_rock
Legend
Legend
‎2022-12-08 05:02 AM
Jump to solution

Thats odd indeed. So when I ran it on my lab mgmt server (R81.20), I see 5 entries and all of them refer to correct dates, as CN either shows cp_mgmt, mgmt host name OR gateway name. Did same on R81.10 mgmt and literally very similar output, shows expiring January 2027.

Question...when you log into smart console and navigate to servers -> trusted CA -> how many entries do you see there?

Andy

0 Kudos
Whoopy
Participant
‎2022-12-08 06:23 AM
In response to the_rock
Jump to solution

Hi guys,

under trusted CA I've got only one entry - the internal_ca with an expiration date in 2036. And I checked our VPN configuration as well. We have only a single tunnel to another company. And that one uses a cluster certificate which is expiring in 2026.

When we bought our new gateways in 2019 we were on R77.30 and for upgrading to R80.40 we used  migrate/export. Could it be, that the certificate is a left over from R77.30 ?

0 Kudos
the_rock
Legend
Legend
‎2022-12-08 06:52 AM
In response to Whoopy
Jump to solution

Yea, those internal_ca's usually have 15 years expiry date. I see what you are saying, its definitely a possibility its left there from R77.30...but I would maybe confirm 100% with TAC.

0 Kudos
Whoopy
Participant
‎2022-12-08 07:14 AM
In response to the_rock
Jump to solution

I asked our consulting partner to open a service request. They haven't seen this problem on any of their customers before.

So lets see what TAC have to say.

PhoneBoy
Admin
Admin
‎2022-12-08 07:13 AM
In response to Whoopy
Jump to solution

It's possible it's leftover from R77.x.
Can you show the actual certificate details?

0 Kudos
Whoopy
Participant
‎2022-12-08 07:52 AM
In response to PhoneBoy
Jump to solution

I think that's possible. But I've to ask how to do that from the command line?

[Expert@CP-FW-Mgmt:0]# cpca_client search 61360 -where serial
Operation succeeded. rc=0.
1 certs found.

Subject = CN=CP-FW-Mgmt.company.de,O=CP-FW-Mgmt.company.de.vjyypw
Status = Valid Kind = SIC Serial = 61360 DP = 0
Not_Before: Mon Jan 22 09:36:17 2018 Not_After: Sun Jan 22 09:36:17 2023
Fingerprint = SAY TILE ACT WORN NIT COME AWK SET OTT DUG JAW TAN
Thumbprint = 3a:fd:74:01:ff:02:c2:d4:04:c7:70:c1:08:11:fc:7e:b0:a7:5c:37

That's probably not the right way to do this or is it ?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-12-08 10:11 AM
In response to Whoopy
Jump to solution

I don't believe it's possible to retrieve from the CLI.
It should be possible from the (web-based) ICA tool, which needs to be enabled.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
the_rock
Legend
Legend
‎2022-12-08 10:24 AM
In response to PhoneBoy
Jump to solution

Hey @Whoopy 

I agree with @PhoneBoy about ICA mgmt tool, its probably worth trying. I logged into mine on R81.20, as it was already enabled, but it only gives option to remove single cert, so not sure what you may see on your end.

0 Kudos
Whoopy
Participant
‎2022-12-09 01:24 AM
In response to the_rock
Jump to solution

You guys are the best @PhoneBoy, @the_rock, @_Val_ ! Enabling ICA mgmt tool put me in the right path.

I followed the sk30501 for settings up access to the ICA  but I couldn't access the ICA site although cpca_client set_mgmt_tool print showed that access was enabled and port 18265 was listening.

After some troubleshooting I found the solution for both problems in sk39915 in the notes section. Apparently the private key file was now longer valid or get corrupted as a result of the upgrade process. After running the next commands:

  • Rename the current private key file $FWDIR/state/InternalCA_site.p12:

    [Expert@HostName]# mv  $FWDIR/state/InternalCA_site.p12  $FWDIR/state/InternalCA_site.p12_ORIGINAL

  • Disable the ICA Management Tool:

    [Expert@HostName]# cpca_client set_mgmt_tool off

  • Enable the ICA Management Tool:

    [Expert@HostName]# cpca_client set_mgmt_tool on 

  • Check if the new private key file was created:

    [Expert@HostName]# ls -l $FWDIR/state/InternalCA_site.p12

 

I was able to access the ICA management site. I wanted to find the certificate a bit easier using the serial number and  ran cpca_client another time. To my surprise the expiring certificate was replaced by a new one. Success !

I added of few more screenshots if someone else is running into this issue. What I noticed is that the internalca_site.p12 file contains different certificates than I did expect. And apparently there is now a new internal_ca certificate ( expiring in 2038 ) and it is different to the internal_ca certificate shown in smart console.

I did some tests and everything seems to work. Thus I'm hopping there not a new problem now.

Anyway, many thanks again for your help!

 

 

internal_ca_certificate.jpg
Preview file
197 KB
cpca_client.png
Preview file
321 KB
ICA old certificate.png
Preview file
294 KB
ICA new certificate.png
Preview file
359 KB
the_rock
Legend
Legend
‎2022-12-09 04:20 AM
In response to Whoopy
Jump to solution

Great job! You are welcome, but in all fairness, I think all of us strive to be like @PhoneBoy , but he is CP encyclopedia, legend, guru, expert...so in my mind, if he is out of suggestions, then its NEVER good lol

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top