CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 9 of 9

Thread: Export https inspection certificates off the firewall

  1. #1
    Join Date
    2015-06-04
    Posts
    19
    Rep Power
    0

    Default Export https inspection certificates off the firewall

    Hi all,

    I am building another firewall (another vendor), and in order to make life easy I am wanting to take the certificate and private key off the CP manager (the one that is used for HTTPS inspection) so I can import into my other device (saves me getting another cert signed and deploying to all users)

    I know its probably not a supported procedure, but I think I have found what I need here: /var/opt/CPsuite-R77/fw1/conf/ssl_certificates.C (all the details match that of my cert)

    In that file it seems to give me a text representation of a pkcs12 cert, and another string called pki sign key, I'm just wondering if anyone knows how I can generate a certificate file out of this data in openssl (or export it from the checkpoint). I tried just pasting the text into a file and running it through openssl but it doesn't like the format.

    thanks!

  2. #2
    Join Date
    2007-06-04
    Posts
    3,305
    Rep Power
    17

    Default Re: Export https inspection certificates off the firewall

    In SmartConsole then under the Application Control & URL Filtering / Advanced / HTTPS Inspection / Gateways then at the bottom then lists the Self Generated CA Certificate that would be generated.

    Export Option on that page.

    If was from a Certificate Vendor ie Trusted CA Issuer etc then cannot you get a copy of the Certificate again if purchased one.

  3. #3
    Join Date
    2015-06-04
    Posts
    19
    Rep Power
    0

    Default Re: Export https inspection certificates off the firewall

    Quote Originally Posted by mcnallym View Post
    In SmartConsole then under the Application Control & URL Filtering / Advanced / HTTPS Inspection / Gateways then at the bottom then lists the Self Generated CA Certificate that would be generated.

    Export Option on that page.

    If was from a Certificate Vendor ie Trusted CA Issuer etc then cannot you get a copy of the Certificate again if purchased one.

    Thanks for the reply, yes I know that export function, unfortunately that is just a cer file (public key only) so it does not export the private key.

    The data I have found in /var/opt/CPsuite-R77/fw1/conf/ssl_certificates.C I am now 100% positive this is my pkcs12 file (private+public key) stored in hex format. This exact data blob is found in the same location on all my gateways that are doing https inspection, with the exact same hex value, the expiration dates and cn names tee up with that of my inspection certificate. So now the tricky part is figuring out how to get it back into a pksc12 container.

    FYI this is what it looks like:

    :certificate_name ("Email=concealed,CN=concealed")
    :color (black)
    :comments ()
    :dn ("Email=concealed,CN=conealed")
    :doubleSignCert ()
    :generated_by_auto_enrollment (true)
    :issuer ("CN=mycertsrver")
    kcs12buf (0008020<TRIMMED>c8230)
    kisignkey (d27<TRIMMED>31)
    :type (pkcs12cert)
    :valid_from (1487561977)
    :valid_to (1645241977)

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Export https inspection certificates off the firewall

    Quote Originally Posted by Flamer View Post
    Thanks for the reply, yes I know that export function, unfortunately that is just a cer file (public key only) so it does not export the private key.

    The data I have found in /var/opt/CPsuite-R77/fw1/conf/ssl_certificates.C I am now 100% positive this is my pkcs12 file (private+public key) stored in hex format. This exact data blob is found in the same location on all my gateways that are doing https inspection, with the exact same hex value, the expiration dates and cn names tee up with that of my inspection certificate. So now the tricky part is figuring out how to get it back into a pksc12 container.

    FYI this is what it looks like:

    :certificate_name ("Email=concealed,CN=concealed")
    :color (black)
    :comments ()
    :dn ("Email=concealed,CN=conealed")
    :doubleSignCert ()
    :generated_by_auto_enrollment (true)
    :issuer ("CN=mycertsrver")
    kcs12buf (0008020<TRIMMED>c8230)
    kisignkey (d27<TRIMMED>31)
    :type (pkcs12cert)
    :valid_from (1487561977)
    :valid_to (1645241977)
    I don't have a pkcs file handy to look at but what are you thinking? Like is the hex string is missing something or is it more how do you take hex input and convert it into a binary? From the very little i read it sounds like pkcs is a binary archive so i'm thinking it might have what it needs already.
    Last edited by jflemingeds; 2019-01-22 at 23:15.

  5. #5
    Join Date
    2015-06-04
    Posts
    19
    Rep Power
    0

    Default Re: Export https inspection certificates off the firewall

    Thats a good question!

    Well if I chuck that hex blob into a file and convert it to binary (xxd), I then treat it like a normal .p12 file in openssl and try and export the private key out of it (openssl pkcs12 -in test.bin -nocerts -out test.pem) I get thrown an error which basically states the input is in an unknown format.

    So my suspicion is this hex blob is not a direct hex of the original binary, they have run the original pkcs12 through some function to spit it out in this format.

  6. #6
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Export https inspection certificates off the firewall

    hmm. did you run file or maybe binwalk aginst the binary to see what they think it is? Most likely you're correct but slim chance..

  7. #7
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,651
    Rep Power
    10

    Default Re: Export https inspection certificates off the firewall

    One other thought.. could that be only the public key and the sign key be the private?

  8. #8
    Join Date
    2015-06-04
    Posts
    19
    Rep Power
    0

    Default Re: Export https inspection certificates off the firewall

    Quote Originally Posted by jflemingeds View Post
    hmm. did you run file or maybe binwalk aginst the binary to see what they think it is? Most likely you're correct but slim chance..
    Yeah tried that, it just returns "binary"

    Quote Originally Posted by jflemingeds View Post
    One other thought.. could that be only the public key and the sign key be the private?

    Doesn't appear to be, the "pkcs12buf" field contains 6000+ characters, the pkisignkey field contains just 40. I think the sign key maybe something to do with the encryption of the buffer, Ill keep playing and hopefully one day figure it out

  9. #9
    Join Date
    2015-06-04
    Posts
    19
    Rep Power
    0

    Default Re: Export https inspection certificates off the firewall

    In case this helps someone in the future, here's are the steps to extract your inspection certificate which I figured out:

    First export the cer file off your gateway (under gateways tab in https inspection policy), open it and make a note of the issued to name, and the valid dates.

    Look in this file : $FWDIR/conf/ssl_certificates.C

    Your inspection cert will be in here, in the case you have more than one find then one that the issued to and valid dates match the exported cer as above, the dates are stored as a timestamp eg (1548441239), go online and search for "epoch date converter" in this case that date translates to "Friday, January 25, 2019"

    Now you know which cert is the correct one, grab all the hex content in the "pkcs12buf" field, don't include the brackets. Save it into a text file called certfile.txt and load up your linux machine

    You need to reverse the hex bytes:
    cat certfile.txt|fold -w2|tac|tr -d "\n" > certfile-rev.txt

    Then convert the hex into binary
    xxd -r -p certfile-rev.txt mycert.pfx


    Now you have a valid pkcs12 container.


    Now the annoying bit, the private key is encrypted - D'oh! ("openssl pkcs12 -info -in mycert.pfx")

    the password crypt/hash is here:
    GuiDBedit - Table / Other / SSL_inpsection / general_confs_obj / ssl_cert_key

    In my case, I just bruteforced my new pfx file, I used the blazingly fast linux package called "crackpkcs12" which recovered my simple password in less than 1 second so I had no need to look further into the password storage but I'm sure its recoverable. GL!

Similar Threads

  1. HTTPs Inspection
    By Dende in forum R77.30
    Replies: 6
    Last Post: 2017-03-30, 02:31
  2. Https inspection
    By kelvinyip.m in forum Firewall Blade
    Replies: 1
    Last Post: 2016-12-27, 06:50
  3. URL filtering, HTTPS Inspection, HTTP/HTTPS Proxy
    By bhavinjbhatt in forum R75.40 (GAiA)
    Replies: 0
    Last Post: 2015-07-07, 13:33
  4. Https Inspection
    By wiz4rd in forum Application Control Blade
    Replies: 1
    Last Post: 2014-05-27, 16:08
  5. Different Outbound CA Certificates for HTTPS Inspection
    By Reevsie147 in forum Web Security Blade (Formerly Web Intelligence)
    Replies: 1
    Last Post: 2013-12-05, 11:15

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •