Difference between revisions of "revoking Check Point administrator certificates"

From cpwiki.net
Jump to: navigation, search
Check Point Profressional Services
(problem description)
(solution)
Line 13: Line 13:
 
1. list current certs for user
 
1. list current certs for user
  
  [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i  johnsmith'''                                                                
+
  [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i  johnsmith''' | grep -C 1 -i valid                                                         
Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
+
Status = Revoked  Kind = SIC  Serial = 26247  DP = 0
+
Not_Before: Mon Dec  9 20:30:28 2013  Not_After: Sun Dec  9 20:30:28 2018
+
 
  --
 
  --
 
  Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
 
  Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
Line 31: Line 28:
 
3. verify all certs have a status of revoked
 
3. verify all certs have a status of revoked
  
  [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith
+
  [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith  | grep -C 1 -i valid
  Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
+
'''Status = Revoked'''  Kind = SIC  Serial = 26247  DP = 0
+
Not_Before: Mon Dec  9 20:30:28 2013  Not_After: Sun Dec  9 20:30:28 2018
+
 
  --
 
  --
 
  Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
 
  Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9

Revision as of 17:34, 25 July 2014

problem description

versions: Check Point R65 - R75 (guessing)

products: reported on Provider-1, but could be relavant for a Smartcenter / Smart-1

Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, sometimes the certificate generation will fail. An exact error message is not documented here.

solution

no return value from above, so account non-existent

1. list current certs for user

[Expert@P1server]# cpca_client lscert | grep -A 2 -i  johnsmith | grep -C 1 -i valid                                                          
--
Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
Status = Valid   Kind = SIC   Serial = 47765   DP = 0
Not_Before: Fri Mar 28 04:57:09 2014   Not_After: Thu Mar 28 04:57:09 2019
--


2. revoke valid certs by referencing the CNs from above

[Expert@P1server]# cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"

Certificate was revoked successfully

3. verify all certs have a status of revoked

[Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith  | grep -C 1 -i valid 
--
Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9
Status = Revoked   Kind = SIC   Serial = 47765   DP = 0
Not_Before: Fri Mar 28 04:57:09 2014   Not_After: Thu Mar 28 04:57:09 2019
--


done