This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Franco_Carched1
Contributor
‎2018-01-31 07:03 AM
Jump to solution

1490 certifcate valid from date CLI fetch

Hi all,

wondering if you can help provide a way to do the below.

I am trying to get information from a 1490 device running R77.20 latest version for 1490.

We normally would use cpca_client but that has been removed from embedded appliance.

I have tried this

cpca_dbutil print $FWDIR/conf/InternalCA.db

but that only prints the information out and does not provide information on valid from and to date.

I also tried

ls -lht /opt/fw1/state/InternalCA_site.p12

this only provide me a date the file was created does anyone know how to get this information from a 1490 via command line.

Thank all,

Frank

0 Kudos
1 Solution

Accepted Solutions
David_Gambrin
Employee Alumnus
Employee Alumnus
‎2018-02-03 09:06 PM
Jump to solution

Hi Franco Carchedi,

If you wish to know the details regarding the GW's internal CA you can do it in the WEB-UI ('Internal Certificate' page under VPN in locally managed mode) or in expert mode (both in locally and centrally managed modes) by the command `#cat $FWDIR/conf/InternalCA.fwset`.

the InternalCA.fwset is eventually a print of the internal CA that we take into a text file during it's creation using cpca.

BTW, the Internal CA is not relevant in centrally managed mode since the MGMT server is handling all the signing requests...is there any particular reason you need the info regarding the GW's internal CA in centrally managed mode as well?

View solution in original post

15 Replies
PhoneBoy
Admin
Admin
‎2018-01-31 07:59 AM
Jump to solution

If it's a question about the 1490 it should be in the https://community.checkpoint.com/community/infinity-general/smb-smp?sr=search&searchId=6ce11c64-4608...‌ space.

And maybe we should tag https://community.checkpoint.com/people/mirio5da802f4-2304-47d4-915d-e09d560ea3cc

But just to clarify: you're looking for the dates of validity for the internal CA certificate?

Is this 1490 self-managed or are you managing it with a SmartCenter/MDM setup?

0 Kudos
Franco_Carched1
Contributor
‎2018-01-31 08:03 AM
Jump to solution

Hi Dameon,

Thanks for the response, happy for it to be moved to the correct location also.

But just to clarify: you're looking for the dates of validity for the internal CA certificate? Correct Smiley Happy

Is this 1490 self-managed or are you managing it with a SmartCenter/MDM setup? SmartCenter managed.

Thank you

Frank

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-31 08:25 AM
In response to Franco_Carched1
Jump to solution

I'm questioning if this is the right command for the job in the first place on a gateway.

When I try to execute this command on a regular (non-SMB) R77.30 or R80.10 gateway, I get an "operation failed" message.

When I execute it on a management, I get what you describe, a bunch of lines that look like:

Subject = CN=animal,O=bunsen..9zzzzz

Status = Valid   Kind = SIC   Serial = 11111   DP = 0

Not_Before: Thu Aug 17 09:19:53 2017   Not_After: Wed Aug 17 09:19:53 2022

Which makes sense since the internal certificate authority only exists on the management.

It should have all the certificates for all managed gateways.

The above example is the certificate for a gateway managed by this SmartCenter.

Franco_Carched1
Contributor
‎2018-01-31 08:28 AM
Jump to solution

Perfect my Friend, sorry to waste your time on this questions.

I did think about management, but our developers wanted this to come from the Appliance.

I will go with your suggestion.

Thanks Frank

0 Kudos
PhoneBoy
Admin
Admin
‎2018-01-31 09:04 AM
In response to Franco_Carched1
Jump to solution

No worries, it was a good opportunity to refresh my knowledge Smiley Happy

0 Kudos
Franco_Carched1
Contributor
‎2018-02-01 01:18 AM
Jump to solution

Hi Dameon,

sorry to bring this back up, but I gather there is no way of getting this from the GW ? I guess we can do a check first to see if ICA_Services are allowed from Gateway to Management then check the cert on the Manager ?

cpca_client lscert seems to be missing completely from the 1490 code.

Thanks

Frank

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-01 06:50 AM
In response to Franco_Carched1
Jump to solution

I don’t see why cpca_client should exist on the SMB appliance since it does not perform central management functions, being either managed by something else or self-managed.

0 Kudos
Pedro_Espindola
Advisor
‎2018-02-01 10:25 AM
In response to PhoneBoy
Jump to solution

Maybe for locally managed SMB cluster deployments.

0 Kudos
Franco_Carched1
Contributor
‎2018-02-01 07:03 AM
Jump to solution

Ok, but if the device was managed locally then no way to retrive this info.

plus based on that if FW_ICA_services is not allowed by control connections, what if you do a check on the management it reports cert is valid but on GW it has not pushed/pulled the new cert becuase of the control connection being allowed and explict rule for the service to be allowed.

strange how a GW GAIA and not management still has cpca_client there even if it is a GW.

Cheers for the info either way but gathering from what said no way to get this out of the device itself.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-01 09:24 AM
In response to Franco_Carched1
Jump to solution

Embedded Gaia appliances have less storage space to work with than regular appliances.

As such, items that are not required are removed from the OS image.

Like I mentioned before, you can't use cpca_client lscert on a regular gateway either as it's only meant for management.

This is documented in the following sk: How to determine SIC Certificate expiration date 

I'll see if there's a way to determine this from a gateway.

0 Kudos
Pedro_Espindola
Advisor
‎2018-02-01 10:24 AM
Jump to solution

Hello Franco,

Would it be related to the InternalCA.crt? If it is, you can try:

cpopenssl x509 -noout -inform DER -in /opt/fw1/conf/InternalCA.crt -enddate -startdate

You can use this for other certificates in the gateway or -text option to see complete certificate.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-01 11:53 AM
In response to Pedro_Espindola
Jump to solution

That would be for the internal CA on the appliance itself.

That's not the SIC key used by the appliance when communicating with central management.

Based on some SKs, it's going to be:

  • $CPDIR/conf/sic_cert.p12

I confirmed by resetting SIC on an 1100 device that the sic_cert.p12 file changes when SIC is re-established.

That means, you should be able to do something like the following to dump the key:

cpopenssl pkcs12 -info -in /opt/fw1/conf/sic_cert.p12

Except that won't work as the certificate is protected by a password, which I am going to guess we're not giving out.

0 Kudos
David_Gambrin
Employee Alumnus
Employee Alumnus
‎2018-02-03 09:06 PM
Jump to solution

Hi Franco Carchedi,

If you wish to know the details regarding the GW's internal CA you can do it in the WEB-UI ('Internal Certificate' page under VPN in locally managed mode) or in expert mode (both in locally and centrally managed modes) by the command `#cat $FWDIR/conf/InternalCA.fwset`.

the InternalCA.fwset is eventually a print of the internal CA that we take into a text file during it's creation using cpca.

BTW, the Internal CA is not relevant in centrally managed mode since the MGMT server is handling all the signing requests...is there any particular reason you need the info regarding the GW's internal CA in centrally managed mode as well?

Franco_Carched1
Contributor
‎2018-02-05 12:28 AM
Jump to solution

Thanks David Gambrin, and all for the responses.

that command worked a treat.

cat $FWDIR/conf/InternalCA.fwset

Thanks

Frank

0 Kudos
PhoneBoy
Admin
Admin
‎2018-02-05 06:45 AM
In response to Franco_Carched1
Jump to solution

Just to be clear, that only shows the dates associated with the Internal CA on that specific device.

It does NOT reflect the SIC certificate used by the device issued by your central management.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events