Export https inspection certificates off the firewall

[Flamer]

Hi all,

I am building another firewall (another vendor), and in order to make life easy I am wanting to take the certificate and private key off the CP manager (the one that is used for HTTPS inspection) so I can import into my other device (saves me getting another cert signed and deploying to all users)

I know its probably not a supported procedure, but I think I have found what I need here: /var/opt/CPsuite-R77/fw1/conf/ssl_certificates.C (all the details match that of my cert)

In that file it seems to give me a text representation of a pkcs12 cert, and another string called pki sign key, I'm just wondering if anyone knows how I can generate a certificate file out of this data in openssl (or export it from the checkpoint). I tried just pasting the text into a file and running it through openssl but it doesn't like the format.

thanks!

[mcnallym]

In SmartConsole then under the Application Control & URL Filtering / Advanced / HTTPS Inspection / Gateways then at the bottom then lists the Self Generated CA Certificate that would be generated.

Export Option on that page.

If was from a Certificate Vendor ie Trusted CA Issuer etc then cannot you get a copy of the Certificate again if purchased one.

[Flamer]

In SmartConsole then under the Application Control & URL Filtering / Advanced / HTTPS Inspection / Gateways then at the bottom then lists the Self Generated CA Certificate that would be generated.

Export Option on that page.

If was from a Certificate Vendor ie Trusted CA Issuer etc then cannot you get a copy of the Certificate again if purchased one.

Thanks for the reply, yes I know that export function, unfortunately that is just a cer file (public key only) so it does not export the private key.

The data I have found in /var/opt/CPsuite-R77/fw1/conf/ssl_certificates.C I am now 100% positive this is my pkcs12 file (private+public key) stored in hex format. This exact data blob is found in the same location on all my gateways that are doing https inspection, with the exact same hex value, the expiration dates and cn names tee up with that of my inspection certificate. So now the tricky part is figuring out how to get it back into a pksc12 container.

FYI this is what it looks like:

:certificate_name ("Email=concealed,CN=concealed")
:color (black)
:comments ()
:dn ("Email=concealed,CN=conealed")
:doubleSignCert ()
:generated_by_auto_enrollment (true)
:issuer ("CN=mycertsrver")
kcs12buf (0008020<TRIMMED>c8230)
kisignkey (d27<TRIMMED>31)
:type (pkcs12cert)
:valid_from (1487561977)
:valid_to (1645241977)

[jflemingeds]

Thanks for the reply, yes I know that export function, unfortunately that is just a cer file (public key only) so it does not export the private key.

The data I have found in /var/opt/CPsuite-R77/fw1/conf/ssl_certificates.C I am now 100% positive this is my pkcs12 file (private+public key) stored in hex format. This exact data blob is found in the same location on all my gateways that are doing https inspection, with the exact same hex value, the expiration dates and cn names tee up with that of my inspection certificate. So now the tricky part is figuring out how to get it back into a pksc12 container.

FYI this is what it looks like:

:certificate_name ("Email=concealed,CN=concealed")
:color (black)
:comments ()
:dn ("Email=concealed,CN=conealed")
:doubleSignCert ()
:generated_by_auto_enrollment (true)
:issuer ("CN=mycertsrver")
kcs12buf (0008020<TRIMMED>c8230)
kisignkey (d27<TRIMMED>31)
:type (pkcs12cert)
:valid_from (1487561977)
:valid_to (1645241977)

I don't have a pkcs file handy to look at but what are you thinking? Like is the hex string is missing something or is it more how do you take hex input and convert it into a binary? From the very little i read it sounds like pkcs is a binary archive so i'm thinking it might have what it needs already.

[Flamer]

Thats a good question!

Well if I chuck that hex blob into a file and convert it to binary (xxd), I then treat it like a normal .p12 file in openssl and try and export the private key out of it (openssl pkcs12 -in test.bin -nocerts -out test.pem) I get thrown an error which basically states the input is in an unknown format.

So my suspicion is this hex blob is not a direct hex of the original binary, they have run the original pkcs12 through some function to spit it out in this format.

[jflemingeds]

hmm. did you run file or maybe binwalk aginst the binary to see what they think it is? Most likely you're correct but slim chance..

[jflemingeds]

One other thought.. could that be only the public key and the sign key be the private?

[Flamer]

hmm. did you run file or maybe binwalk aginst the binary to see what they think it is? Most likely you're correct but slim chance..

Yeah tried that, it just returns "binary"

One other thought.. could that be only the public key and the sign key be the private?

Doesn't appear to be, the "pkcs12buf" field contains 6000+ characters, the pkisignkey field contains just 40. I think the sign key maybe something to do with the encryption of the buffer, Ill keep playing and hopefully one day figure it out

[Flamer]

In case this helps someone in the future, here's are the steps to extract your inspection certificate which I figured out:

First export the cer file off your gateway (under gateways tab in https inspection policy), open it and make a note of the issued to name, and the valid dates.

Look in this file : $FWDIR/conf/ssl_certificates.C

Your inspection cert will be in here, in the case you have more than one find then one that the issued to and valid dates match the exported cer as above, the dates are stored as a timestamp eg (1548441239), go online and search for "epoch date converter" in this case that date translates to "Friday, January 25, 2019"

Now you know which cert is the correct one, grab all the hex content in the "pkcs12buf" field, don't include the brackets. Save it into a text file called certfile.txt and load up your linux machine

You need to reverse the hex bytes:
cat certfile.txt|fold -w2|tac|tr -d "\n" > certfile-rev.txt

Then convert the hex into binary
xxd -r -p certfile-rev.txt mycert.pfx


Now you have a valid pkcs12 container.


Now the annoying bit, the private key is encrypted - D'oh! ("openssl pkcs12 -info -in mycert.pfx")

the password crypt/hash is here:
GuiDBedit - Table / Other / SSL_inpsection / general_confs_obj / ssl_cert_key

In my case, I just bruteforced my new pfx file, I used the blazingly fast linux package called "crackpkcs12" which recovered my simple password in less than 1 second so I had no need to look further into the password storage but I'm sure its recoverable. GL!