The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Expired certificates cannot be deleted from the Management Database
|
Technical Level
|
Solution ID |
sk101049 |
Technical Level |
|
Product |
Quantum Security Management, Multi-Domain Security Management |
Version |
R80.10 (EOL), R80.20, R80.30 |
Date Created |
25-May-2014
|
Last Modified |
04-Jan-2022
|
Symptoms
Expired certificates cannot be deleted in Internal CA Management Tool:
- Connect to the command line on Management Server (over SSH, or console).
- Log in to Expert mode.
- Enable Internal CA Management Tool on the Security Management Server / Domain Management Server (refer to sk39915):
[Expert@HostName]# cpca_client set_mgmt_tool on [-no_ssl]
- Connect to Internal CA Management Tool with a web browser.
- In the left pane, click on "
Manage CRLs
."
- Click "
Clean the CA's Database and CRLs from expired certificates
" - confirm, when prompted.
- Connect to the command line on Management Server (over SSH, or console).
- Log in to Expert mode.
- Check the list of expired certificates:
[Expert@HostName]# cpca_client lscert -stat Expired
The expired certificates are still listed, even though they were supposed to be deleted from the database.
Expired certificates do not appear in the Management Database:
- Internal CA Management Tool does not show any expired certificates (click on '
Manage Certificates
' - in 'Status
' field, select 'Expired
' - click on 'Search
' button)
- Output of '
cpca_client lscert -stat Expired
' shows:
Operation succeeded. rc=0.
0 certs found.
ICA Management Tool (sk39915) shows that several certificates that should have expired, still appear as 'Valid
.'
'cpca_client lscert
' command fails with error "Operation failed. rc=-1.
"
Running the 'cpca_client lscert
' command under debug ('fw debug cpca on TDERROR_ALL_ALL=5
') shows:
fwasync_connbuf_realloc: Connection buffer overflow. Cannot allocate N bytes of memory. Limit is 1048576.
fwasync_conn_send: fwasync_connbuf_realloc() failed.
Cause
Certificate that are Revoked and Expired will not show when filtering with Expired.
Filtering with Expired will not show certificate that are also Revoked.
Solution
|
Note: To view this solution you need to
Sign In
.
|