Create a Post
Showing results for 
Search instead for 
Did you mean: 

Certificate Renewal - how is this task processed - Reporting options required


Can someone help me to check the certificates installed on Check Point appliances?. I have two requirements, need to check whether these appliance/gateways are installed valid certificate for WebUI and SSH access and what is the validity and expiry date and who provided the certificate (ether ICA or third-party certificate authority)

Any update on this is greatly appreciated

Thanks in advance



0 Kudos
5 Replies

Moving to Appliances and Gaia

Every time you connect to one of the web portals, the public certificate of that portal should be offered.

This is how TLS works.

I suppose you could use something like the following to programmatically evaluate the various portals: Proactively Handling Certificate Expiration With ssl-cert-check -- Prefetch Technologies 

SSH keys are not issued by a certificate authority.

They are almost always internally generated and do not have an expiration date.

0 Kudos

Thank you for your response

0 Kudos

If you need to check all certificates expiration, you may check also the ones which are used to establish IPSec tunnels. By default they are generated for 5 years ... if some of your Security Gateways have to be in place approx this time, you should pay attention to that expiration : if expired, you will not be able to establish VPN IPSec tunnel.

I use the following command on the Security Management Server:

cpca_client lscert -kind IKE -stat Valid > /var/ValidIKECert_`/bin/date +%Y-%m-%d_%H%M`.txt

More details on cpca_client lscert command (from Command Line Interface Reference Guide of R77😞
Description Show all certificates issued by the ICA.

> cpca_client [-d] lscert [-dn <substring>] [-stat {Pending|Valid|Revoked|Expired|Renewed}]

[-kind SIC|IKE|User|LDAP] [-ser <ser>] [-dp <dp>]

Parameter Description
-d Runs the command in debug mode
-dn substring Filters results to those with a DN that matches this <substring>
-stat Filters results to the specified certificate status: Pending, Valid, Revoke, Expire, or Renewed
-kind Filters results for specified kind: SIC, IKE, User, or LDAP
-ser <serial> Filters results for this serial number
-dp <dp> Filters results from this CDP (certificate distribution point)

The content of the file generated should be something like:

which could be transform to:

... in order to be imported in any spreadsheet software.

Information Security enthusiast, CISSP, CCSP

Thank you for your input


Thank you all for your feedback. I will go through your comments.

If we have the certificate from the internal Certificate authority for For the administrative access (via ssh, WEB-UI) on the security components, hope the same can be pushed to use laptop using Group Policy.

My organization is asking for the certificate for administrative access (via ssh, WEB-UI) on the security components.

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events