Solved: Re: HTTPS Inspection Certificate Expired - No Warn...

StackCap43382 · ‎2023-09-25

Hi All,

Just had to renew a HTTPS certificate that expired yesterday and caused an outage this morning.

I cant see any warning in the policy install, audit logs or logs and there is no mention in the ARTG etc.

I know better warnings about VPN Cert expiry has been added.

Am I missing something obvious?

CCSME, CCTE, CCME, CCVS

matangi · ‎2023-10-13

Hi @StackCap43382,
Thanks for your valued feedback.

We introduced a new HealthCheck Point (HCP) test to verify the expiration date of the HTTPS Inspection outbound certificate.

The test will be included in an upcoming release of HCP.

The possible results for the test are as follows:

# SUCCESS - No issues detected. The certificate is valid and will not expire in the next 60 days.

# WARNING - The certificate will expire within the next 60 days.

# ERROR - Issues detected that need immediate action. The certificate is either expired or not yet valid.

Thanks,
Matan

View solution in original post

G_W_Albrecht · ‎2023-09-25

sk64521: How to update the Trusted Certificate Authorities (CAs) list for HTTPS Inspection and HTTPS...

sk173629 - How to update Trusted CAs automatically

sk108641: How to renew, import, or export a new HTTPS Inspection certificate

CCSE CCTE CCSM SMB Specialist

StackCap43382 · ‎2023-09-25

I don't see anything there about HTTPS Certificate expiration warnings.

CCSME, CCTE, CCME, CCVS

the_rock · ‎2023-09-25

Im almost positive you dont get warning for that, at least I never seen it in any customer's environment or in multiple labs where I had it enabled (R80.30, R80.40, R81.10 and R81.20). You can certainly confirm with TAC, but Im 99.99% sure there is no warning pop-up for inspection cert.

I know, it would make total sense to receive it, but guess not there.

Andy

StackCap43382 · ‎2023-09-25

I've also not seen anything going back to r77.30.

I've opened a case with TAC to be 100% sure.

I have noticed there is a API command in the latest 1.9.1 version of the MGMT API that appears you can extract HTTPS certificate details.

mgmt_cli show outbound-inspection-certificate
https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-outbound-inspection-certificate...

CCSME, CCTE, CCME, CCVS

the_rock · ‎2023-09-25

Correct, this is just in my lab, which also matches below screwenshot in legacy https inspection smart console. I believe max validity is 15 years.

Andy

valid-from: "14-Sep-23"
valid-to: "31-Dec-37"

Martin_Raska · ‎2023-09-26

I had the same problem, my certificate expired after 5 years. No warnings either. I had to renew and set a long expiration date.

the_rock · ‎2023-09-26

Makes sense...I hope someone from Israel sees this post and they make that change, as I agree 100%, it would be very convenient to have warning at least 6 months in advance, thats more than enough time.

Andy

StackCap43382 · ‎2023-09-28

Ticket Raised with TAC.

Confirmed no current method to monitor.

Requested to raise RFE.

In case anyone wants to use API to pull Cert Experation:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/show-outbound-inspection-certificate~v1.9%20

CCSME, CCTE, CCME, CCVS

the_rock · ‎2023-09-28

I had been super busy with other more pressing CP issues, but still working on this, not giving up.

Andy

matangi · ‎2023-10-13

Hi @StackCap43382,
Thanks for your valued feedback.

We introduced a new HealthCheck Point (HCP) test to verify the expiration date of the HTTPS Inspection outbound certificate.

The test will be included in an upcoming release of HCP.

The possible results for the test are as follows:

# SUCCESS - No issues detected. The certificate is valid and will not expire in the next 60 days.

# WARNING - The certificate will expire within the next 60 days.

# ERROR - Issues detected that need immediate action. The certificate is either expired or not yet valid.

Thanks,
Matan

the_rock · ‎2023-10-13

Thats perfect, good news @matangi

I pray you are safe over there and I pray for peace 🙌🙌

Andy

matangi · ‎2023-10-14

Thank you @the_rock 😍

StackCap43382 · ‎2023-10-13

Thank you for adding this to the HCP tool.

The issue is that I still consider HCP a power user tool as the vast majority of customers either don't know its there or run it often enough to pick up on this before its too late.

The alert/notification should require no manual action from the administrator (run the script) and should be a management notification.

There are several functions/faults that generate a popup on Smart Console login, this should be one of them.

CCSME, CCTE, CCME, CCVS

the_rock · ‎2023-10-13

I really love the fact that web version was possible for HCP starting in R81.10

Below is what it looks like in my R81.20

Andy

Izhar_Shoshani_ · ‎2023-10-18

We are working to integrate the hcp alert into the Mgmt/SmartConsole. This is planned for next version.

the_rock · ‎2023-10-18

Great news @Izhar_Shoshani_

Are you a member of CheckMates?

HTTPS Inspection Certificate Expired - No Warnings?