Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Franktum
Contributor
Jump to solution

How to extract auto-signed certificate info

Hi,

Last friday we got an issue when the Identity Collectors couldn't connect to a gateway. After a while we realised the certificate on the gateway expired. We fixed the issue by renewing it.

Now what we want is to monitor when that certificate will expire and to configure an alert to notify us 1 month earlier. The idea is to know what command tells us the expiration day of that certificate. We tried this command in all interfaces of the gateway, it shows the info from another certificate in the appliance, not the one we want:

cpopenssl s_client -connect X.X.X.X:443 | cpopenssl x509 -text

The output of that command shows us the certificate is going to expire on 2028 and the interesting certificate will expire on 2025 so it's reading another cert.

Do you know the command to extract the info of that certificate?

Thanks!

0 Kudos
1 Solution

Accepted Solutions
Lesley
Leader Leader
Leader

Maybe this command helps you:

[SMARTCENTER]# cpca_client lscert

[SMARTCENTER]# cpca_client lscert ?
Error: odd argument ? for lscert
Usage: cpca_client [-d]
create_cert [-p <ca_port>] -n "CN=<common name>" -f <PKCS12 filename> [-w <password>] [-k <SIC|USER|IKE|ADMIN_PKG>] [-c cert_comment]
revoke_cert [-p <ca_port>] [-n "CN=<common name>"] [-s <serial_number>]
revoke_non_exist_cert -i <input_file_full_path>
init_certs [-p <ca_port>] -i input_file_full_path -o output_file_full_path
get_crldp [-p <ca_port>]
set_cert_validity -k <SIC|IKE|USER> [-y num_of_years] [-d num_of_days] [-h num_of_hours] [-s num_of_seconds]
set_mgmt_tool on|off|add|remove|clean|print [-p <ca_port>] { [-a <administrator DN>] [-u <user DN>] [-c <custom user DN>] }
set_ca_services on|off
get_pubkey [-p <ca_port>] output_file
lscert [-dn substr] [-stat Pending|Valid|Revoked|Expired|Renewed] [-kind SIC|IKE|User|LDAP] [-ser ser] [-dp dp]
double_sign [-p <ca_port>] -i <input file: cert in PEM format> [-o <output file>]
set_sign_hash [sha1|sha256|sha384|sha512]
search <string> [-where dn|comment|serial|device_type|device_id|device_name] [-kind SIC|IKE|User|LDAP] [-stat Pending|Valid|Revoked|Expired|Renewed] [-max <maximum number of results>] [-showfp y/n]

-------
If you like this post please give a thumbs up(kudo)! 🙂

View solution in original post

2 Replies
Lesley
Leader Leader
Leader

Maybe this command helps you:

[SMARTCENTER]# cpca_client lscert

[SMARTCENTER]# cpca_client lscert ?
Error: odd argument ? for lscert
Usage: cpca_client [-d]
create_cert [-p <ca_port>] -n "CN=<common name>" -f <PKCS12 filename> [-w <password>] [-k <SIC|USER|IKE|ADMIN_PKG>] [-c cert_comment]
revoke_cert [-p <ca_port>] [-n "CN=<common name>"] [-s <serial_number>]
revoke_non_exist_cert -i <input_file_full_path>
init_certs [-p <ca_port>] -i input_file_full_path -o output_file_full_path
get_crldp [-p <ca_port>]
set_cert_validity -k <SIC|IKE|USER> [-y num_of_years] [-d num_of_days] [-h num_of_hours] [-s num_of_seconds]
set_mgmt_tool on|off|add|remove|clean|print [-p <ca_port>] { [-a <administrator DN>] [-u <user DN>] [-c <custom user DN>] }
set_ca_services on|off
get_pubkey [-p <ca_port>] output_file
lscert [-dn substr] [-stat Pending|Valid|Revoked|Expired|Renewed] [-kind SIC|IKE|User|LDAP] [-ser ser] [-dp dp]
double_sign [-p <ca_port>] -i <input file: cert in PEM format> [-o <output file>]
set_sign_hash [sha1|sha256|sha384|sha512]
search <string> [-where dn|comment|serial|device_type|device_id|device_name] [-kind SIC|IKE|User|LDAP] [-stat Pending|Valid|Revoked|Expired|Renewed] [-max <maximum number of results>] [-showfp y/n]

-------
If you like this post please give a thumbs up(kudo)! 🙂
Franktum
Contributor

Thanks for the answer Lesley! In management we were able to check the certificates (we got several gateways with Identity Awareness) with cpca_client lscert -ser XXXX.

 

Regards!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events