This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Thomas_Eichelbu
Advisor
‎2023-09-13 03:02 AM

How to check for expired third party certificates?

Hello Check Mates, 

 

Question:
How to check for expired third party certificates via CLI/API whatever?
We have a bunch of third party certificates installed, on various gateways and portals, but how to check them?

internal certificates, yes this is not an issue.
but SK sk104400 says:

[Expert@provider:0]# cpca_client lscert -stat Valid -kind IKE
Operation succeeded. rc=0.
1 certs found.

Subject = CN=cpmodule VPN Certificate,O=Example_Management_Server.checkpoint.com.d2hitj
Status = Valid Kind = IKE Serial = 91912 DP = 1
Not_Before: Wed Jan 14 14:19:02 2015 Not_After: Tue Jan 14 14:19:02 2020
--------------------

The expiration date is shown as 'Not_After: Tue Jan 14 14:19:02 2020' for this VPN Certificate.

Note: this command output has only Internal CA certificates, external CA certificates will not be shown.

so " external CA certificates will not be shown" and where can i see them?
I also dont see them on CA management WebUI

Is there a way to see them on CLI/API?

Dealing with certificates on Check Point platform is never an easy thing and all GUI elements in this regard look very old school.
just follow this thread
https://community.checkpoint.com/t5/General-Topics/Renew-external-3rd-party-certificate-for-IPSEC-VP...

maybe you guys have a trick ready!

Thank you

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
‎2023-09-13 10:30 AM

The relevant objects do not have official API endpoints at present.
Even using generic-object APIs, I'm not seeing the information you're after.
As an example, I created a third party CA for LetsEncrypt in SmartConsole that I named... "LetsEncrypt"
To get the UID of this object, you can execute the following from the CLI of your management: mgmt_cli -r true show-generic-objects name "LetsEncrypt" --format json

Now, you can use show-generic-object: mgmt_cli -r true show-generic-object uid 22eceb6d-cdbe-4c90-a9d2-edcb3b0cc101 --format json

Unfortunately, the output doesn't appear to include anything about the expiration date:

 

{
  "domainsPreset" : null,
  "objectValidationState" : null,
  "dynamicContent" : {
    "objId" : "00000000-0000-0000-0000-000000000000",
    "checkPointObjId" : null,
    "domainsPreset" : null,
    "domainId" : null,
    "status" : "CALCULATING",
    "content" : { },
    "modified" : false,
    "folderPath" : null,
    "text" : null,
    "folder" : null,
    "is_owned" : false
  },
  "color" : "BLACK",
  "crlHttp" : true,
  "cacertsignkey" : "1b6233df938c3c129d438fcc",
  "ocspValidation" : false,
  "crlCacheTimeout" : 86400,
  "permissionsStrings" : [ ],
  "cacertificate" : "",
  "crlLdap" : false,
  "crlCacheType" : "TIMEOUT",
  "dn" : "CN=ISRG Root X1,O=Internet Security Research Group,C=US",
  "useAutoEnrollment" : false,
  "type" : "ca",
  "automaticEnrollmentProtocol" : null,
  "ocspServers" : [ ],
  "caType" : "OPSEC_PKI",
  "useCnToFetchUser" : false,
  "additionalCaSignKeys" : [ ],
  "permissionsType" : "NONE",
  "usePrincipalName" : false,
  "uid" : "22eceb6d-cdbe-4c90-a9d2-edcb3b0cc101",
  "folder" : {
    "uid" : "5c321c20-24b4-4c3f-aab7-cbc490d74dfd",
    "name" : "Global Objects"
  },
  "domain" : {
    "uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
    "name" : "SMC User"
  },
  "meta-info" : {
    "metaOwned" : false,
    "lockStateResponse" : null,
    "validationState" : "OK",
    "deletable" : true,
    "renameable" : true,
    "newObject" : false,
    "lastModifytime" : 1694633588103,
    "lastModifier" : "phoneboy",
    "creationTime" : 1694633588103,
    "creator" : "phoneboy"
  },
  "tags" : [ ],
  "name" : "LetsEncrypt",
  "icon" : "Objects/account_unit",
  "comments" : "",
  "display-name" : "",
  "customFields" : [ ],
  "_original_type" : "TrustedOpsecCaServer"
}

 

Not sure if there's another way to get this information short of SmartConsole.

0 Kudos
Thomas_Eichelbu
Advisor
‎2023-09-14 07:41 AM
In response to PhoneBoy

Hello, 

yes this works ... i can find this object ...  "ssl_cert"

 

10.png

 

[Expert@XXXXXXXXX:0]# mgmt_cli -r true show-generic-objects name "ssl_cert" --format json
{
"objects" : [ {
"uid" : "88d6f1f4-0806-4298-81eb-d660413962d4",
"name" : "ssl_cert",
"type" : "TrustedOpsecCaServer",
"domain" : {
"uid" : "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name" : "SMC User",
"domain-type" : "domain"
}
} ],
"from" : 1,
"to" : 1,
"total" : 1
}

but iam talking about this certificates "savpn.XXXX"

 

11.png

 



 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-14 03:47 PM
In response to Thomas_Eichelbu

The only way you can even see those certificates is by looking at the gateway through the generic-object API.
Something like: mgmt_cli -r true show generic-object uid "8414a95f-8f3d-5442-9944-9877f964d08e" --format json | jq ".certificates[]"

Possible that may lead you somewhere on your system.

0 Kudos
the_rock
Legend
Legend
‎2023-09-13 11:24 AM

Maybe below?

[Expert@QUANTUM-MANAGEMENT:0]# cpca_client lscert -stat Expired
Operation succeeded. rc=0.
0 certs found.

 

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_SecurityManagement_AdminGuid...

Thomas_Eichelbu
Advisor
‎2023-09-14 07:31 AM
In response to the_rock

Hello, 

well if the certificate is expired, it is already too late ... i want to check for certificate which will expire in the near future.
also this command shows ONLY internal Check Point certificate from its own CA.
But on many CP installations, a lot of third party certificates are installed for Platform Portal, User Check, HTTPS Inspection, IA Blade and Third Party IPSec certificates.

 

(1)
the_rock
Legend
Legend
‎2023-09-14 07:34 AM
In response to Thomas_Eichelbu

Ok, once I re-read your post, I sort of figured thats what you were looking for, so accept my apologies, command I gave you is really, well useless lol

Anyway, that would be great if you find out the command, as I agree, it would be nice to see ones soon expiring, specially the 3rd party certs.

Did you open TAC case about it or not yet?

Andy

0 Kudos
Thomas_Eichelbu
Advisor
‎2023-09-26 12:13 AM
In response to the_rock

Hello, 

yes a TAC case has been opened, lets see what TAC can find out.
I fear a RFE would be required to realize an reasonable way to check for third party certificates.

 

0 Kudos
the_rock
Legend
Legend
‎2023-09-26 03:59 AM
In response to Thomas_Eichelbu

I agree, thats most likely what they will tell you.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-09-26 09:26 AM
In response to Thomas_Eichelbu

Since this is really bugging me and Im very persistant dude, Im trying to make a script that would show this. So far, no luck, but Im not giving up 🙂

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events