This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
Wednesday

Centrally managed Spark appliance and VPN certificates

We use SmartProvisioning to manage 25 or so Spark appliances. These appliances are used as satellite gateways in a VPN community, with the center gateways managed by the same SMS. I cannot find a way to determine the age/expiration date of the VPN certificate generated by the SMS (in SmartProvisioning). Here is a screenshot of the VPN tab where the cert is generated:

VPN cert SmartProvisioning.jpg

As you can see, no details available. The webUI of the Spark appliance does show installed certificates, but the certs shown here are the locally generated certificates.

Spark cert1.jpg

Spark cert2.jpg

 

Is there a way to see the details of the certificate generated in SmartProvisioning, which is actually used for the VPN authentication?

Thanks,

David

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
yesterday

The local WebUI will only show you local certificates, I believe.
Might need to use cpca_client lscert from Expert Mode.

0 Kudos
David_C1
Advisor
yesterday
In response to PhoneBoy

Phoneboy - you are correct, local WebUI only shows local certificates (something not very helpful with centrally managed gateways) and the command you provided does show me what I need to see - thank you for that.

That being said, it would be nice if the certificate view in SmartProvisioning had same features as in SmartConsole, where you can actually see details of the cert.

Dave

0 Kudos
David_C1
Advisor
yesterday
In response to David_C1

Bad form I know to reply to my own post, but follow up question:

cpca_client lscert shows me the certs that the CA has issued (including expired, revoked certs).  There are many examples of numerous certs issued for the same gateway, same function. How do I know which cert the client is actually using? If one cert is expired, one is valid, I can assume that the gateway is using the valid cert? Or is there some way on the client side I can verify?

Dave

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to David_C1

Only valid certs should be used.
To see which one is actually used, a debug might be required.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events