This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Somasekharan_Va
Participant
‎2018-02-13 05:27 AM

Certificate Renewal - how is this task processed - Reporting options required

Hello,

Can someone help me to check the certificates installed on Check Point appliances?. I have two requirements, need to check whether these appliance/gateways are installed valid certificate for WebUI and SSH access and what is the validity and expiry date and who provided the certificate (ether ICA or third-party certificate authority)

Any update on this is greatly appreciated

Thanks in advance

Thanks,

Somasekharan

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2018-02-13 03:01 PM

Moving to Appliances and Gaia

Every time you connect to one of the web portals, the public certificate of that portal should be offered.

This is how TLS works.

I suppose you could use something like the following to programmatically evaluate the various portals: Proactively Handling Certificate Expiration With ssl-cert-check -- Prefetch Technologies 

SSH keys are not issued by a certificate authority.

They are almost always internally generated and do not have an expiration date.

0 Kudos
Somasekharan_Va
Participant
‎2018-02-14 11:46 PM
In response to PhoneBoy

Thank you for your response

0 Kudos
XBensemhoun
Employee
Employee
‎2018-02-14 01:33 PM

If you need to check all certificates expiration, you may check also the ones which are used to establish IPSec tunnels. By default they are generated for 5 years ... if some of your Security Gateways have to be in place approx this time, you should pay attention to that expiration : if expired, you will not be able to establish VPN IPSec tunnel.

I use the following command on the Security Management Server:

cpca_client lscert -kind IKE -stat Valid > /var/ValidIKECert_`/bin/date +%Y-%m-%d_%H%M`.txt

More details on cpca_client lscert command (from Command Line Interface Reference Guide of R77😞
Description Show all certificates issued by the ICA.
Syntax

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}]

[-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter Description
-d Runs the command in debug mode
-dn substring Filters results to those with a DN that matches this <substring>
-stat Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed
-kind Filters results for specified kind: SIC, IKE, User, or LDAP
-ser <serial> Filters results for this serial number
-dp <dp> Filters results from this CDP (certificate distribution point)

The content of the file generated should be something like:

which could be transform to:

... in order to be imported in any spreadsheet software.

Information Security enthusiast, CISSP, CCSP
Somasekharan_Va
Participant
‎2018-02-14 11:46 PM
In response to XBensemhoun

Thank you for your input

Somasekharan_Va
Participant
‎2018-02-14 11:50 PM

Thank you all for your feedback. I will go through your comments.

If we have the certificate from the internal Certificate authority for For the administrative access (via ssh, WEB-UI) on the security components, hope the same can be pushed to use laptop using Group Policy.

My organization is asking for the certificate for administrative access (via ssh, WEB-UI) on the security components.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events