Difference between revisions of "revoking Check Point administrator certificates"
From cpwiki.net
(Created page with " == problem description == Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without fir...") |
|||
| Line 6: | Line 6: | ||
== solution == | == solution == | ||
| − | |||
| − | |||
| − | |||
| − | |||
no return value from above, so account non-existent | no return value from above, so account non-existent | ||
| − | + | 1. list current certs for user | |
[Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' | [Expert@P1server]# '''cpca_client lscert | grep -A 2 -i johnsmith''' | ||
| Line 26: | Line 22: | ||
| − | + | 2. revoke valid certs by referencing the CNs from above | |
[Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' | [Expert@P1server]# '''cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"''' | ||
Certificate was revoked successfully | Certificate was revoked successfully | ||
| − | + | 3. verify all certs have a status of revoked | |
[Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith | [Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith | ||
Revision as of 17:12, 25 July 2014
problem description
Sometimes the need arises to revoke a user's certificate via CLI. One such situation is one where an administrator account was deleted without first revoking the certificate in the GUI. This will delete the user but leave the user certificate behind. If you try to recreate a user with the same name and generate a certificate, the certificate generation will fail.
solution
no return value from above, so account non-existent
1. list current certs for user
[Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Valid Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 --
2. revoke valid certs by referencing the CNs from above
[Expert@P1server]# cpca_client revoke_cert -n "CN=johnsmith,OU=users,O=P1server..rsyqv9"
Certificate was revoked successfully
3. verify all certs have a status of revoked
[Expert@P1server]# cpca_client lscert | grep -A 2 -i johnsmith Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 26247 DP = 0 Not_Before: Mon Dec 9 20:30:28 2013 Not_After: Sun Dec 9 20:30:28 2018 -- Subject = CN=johnsmith,OU=users,O=P1server..rsyqv9 Status = Revoked Kind = SIC Serial = 47765 DP = 0 Not_Before: Fri Mar 28 04:57:09 2014 Not_After: Thu Mar 28 04:57:09 2019 --
done
