topic ssl decryption and temp cert management in General Topics

ssl decryption and temp cert management

Alex_Samad — Tue, 04 Sep 2018 02:18:49 GMT

I ran into an issue with the decryption cert being provide by my PA it had expired.

it was 30 days in. I believe this is an issue with the date time comparision and timezones as it has fixed itself today.

How do i find / look at these temp certs via the cli

how can i delete / renew or purge them from the cli

Remo — Tue, 04 Sep 2018 21:01:12 GMT

Renew:

request certificate renew certificate-name <value> days-till-expiry <1-7300>

Revoke:

request certificate revoke certificate-name <value>

Show:

configure
show shared certificate-profile <name>

Show the expiration dates of all certs on the firewall:

set cli config-output-format set
configure
show shared certificate | match not-valid-after

In the CLI you can use this command to find other commands:

find command keyword <value>

Alex_Samad — Fri, 14 Sep 2018 01:17:47 GMT

These are not the certs created by the ssl proxy

Should add my Support Engineer basically said you can't see them.

Remo — Fri, 14 Sep 2018 07:39:17 GMT

Ups ... I (completely) misunderstood something here 😛

With this command you can show at least some of the information that you asked for:

show system setting ssl-decrypt certificate-cache

And yes, a certificate managment isn't really possible with these dynamically created certs.

Remo — Fri, 14 Sep 2018 07:41:35 GMT

Alex_Samad — Fri, 14 Sep 2018 07:50:52 GMT

thats strange

I do this

show system setting ssl-decrypt certificate-cache | match flynumber

I know flynumber is in there , but this comes back with nothing