- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Secure Endpoints from
the Sunburst Attack
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hello,
Can someone help me to check the certificates installed on Check Point appliances?. I have two requirements, need to check whether these appliance/gateways are installed valid certificate for WebUI and SSH access and what is the validity and expiry date and who provided the certificate (ether ICA or third-party certificate authority)
Any update on this is greatly appreciated
Thanks in advance
Thanks,
Somasekharan
Moving to Appliances and Gaia
Every time you connect to one of the web portals, the public certificate of that portal should be offered.
This is how TLS works.
I suppose you could use something like the following to programmatically evaluate the various portals: Proactively Handling Certificate Expiration With ssl-cert-check -- Prefetch Technologies
SSH keys are not issued by a certificate authority.
They are almost always internally generated and do not have an expiration date.
Thank you for your response
If you need to check all certificates expiration, you may check also the ones which are used to establish IPSec tunnels. By default they are generated for 5 years ... if some of your Security Gateways have to be in place approx this time, you should pay attention to that expiration : if expired, you will not be able to establish VPN IPSec tunnel.
I use the following command on the Security Management Server:
cpca_client lscert -kind IKE -stat Valid > /var/ValidIKECert_`/bin/date +%Y-%m-%d_%H%M`.txt
More details on cpca_client lscert command (from Command Line Interface Reference Guide of R77😞
Description Show all certificates issued by the ICA.
Syntax
> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}]
[-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]
Parameter Description
-d Runs the command in debug mode
-dn substring Filters results to those with a DN that matches this <substring>
-stat Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed
-kind Filters results for specified kind: SIC, IKE, User, or LDAP
-ser <serial> Filters results for this serial number
-dp <dp> Filters results from this CDP (certificate distribution point)
The content of the file generated should be something like:
which could be transform to:
... in order to be imported in any spreadsheet software.
Thank you for your input
Thank you all for your feedback. I will go through your comments.
If we have the certificate from the internal Certificate authority for For the administrative access (via ssh, WEB-UI) on the security components, hope the same can be pushed to use laptop using Group Policy.
My organization is asking for the certificate for administrative access (via ssh, WEB-UI) on the security components.
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY