https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123177#M17662 <P>Hello everyone!</P><P>Recently stumbled upon a peculiar problem with the inbound HTTPS inspection. We host a server, inbound traffic to which is being inspected. The server can be accessed via web by regular browsers or by a mobile app designed specifically for this server application. Everything works as expected with regular browser connections. However, problem arises when the mobile app tries to connect. Strictly speaking, the problem is with the Android version of the app. Sometimes the app doesn't respond to Server's TLS Hello, other times it responds with <EM>"TLSv Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)"</EM></P><P>I did some investigating and found out that Checkpoint's Inspection mechanism sends just the web certificate of the server in Server Hello, while the server itself sends the whole certificate chain including the CA. Otherwise Checkpoint's and servers' Hello packets are nearly identical.</P><P><STRONG>Checkpoint's Server Hello:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 660px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12476i9140054A84640D3B/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P><P><STRONG>Original Server Hello:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 890px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12477iF9098A0139EC1FE1/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P><P>&nbsp;</P><P>Now the question is, is it possible to enable transmission of the whole certificate chain in HTTPS Inspection and, if yes, how can it be done?</P> Wed, 07 Jul 2021 12:34:39 GMT i80r 2021-07-07T12:34:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123177#M17662 <P>Hello everyone!</P><P>Recently stumbled upon a peculiar problem with the inbound HTTPS inspection. We host a server, inbound traffic to which is being inspected. The server can be accessed via web by regular browsers or by a mobile app designed specifically for this server application. Everything works as expected with regular browser connections. However, problem arises when the mobile app tries to connect. Strictly speaking, the problem is with the Android version of the app. Sometimes the app doesn't respond to Server's TLS Hello, other times it responds with <EM>"TLSv Record Layer: Alert (Level: Fatal, Description: Certificate Unknown)"</EM></P><P>I did some investigating and found out that Checkpoint's Inspection mechanism sends just the web certificate of the server in Server Hello, while the server itself sends the whole certificate chain including the CA. Otherwise Checkpoint's and servers' Hello packets are nearly identical.</P><P><STRONG>Checkpoint's Server Hello:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 660px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12476i9140054A84640D3B/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P><P><STRONG>Original Server Hello:</STRONG></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 890px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/12477iF9098A0139EC1FE1/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P><P>&nbsp;</P><P>Now the question is, is it possible to enable transmission of the whole certificate chain in HTTPS Inspection and, if yes, how can it be done?</P> Wed, 07 Jul 2021 12:34:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123177#M17662 i80r 2021-07-07T12:34:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123198#M17669 <P>When setting up inbound inspection certificate, you need to take it with the whole chain, not just intermediary CA one.&nbsp;</P> Wed, 07 Jul 2021 13:59:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123198#M17669 _Val_ 2021-07-07T13:59:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123246#M17676 <P>Thank you _Val_!</P><P>For those, who are interested how to convert a pfx/p12 certificate to a chain here is the solution:</P><P><A href="https://www.computertechblog.com/create-a-pfx-file-with-a-certificate-chain/" target="_blank">https://www.computertechblog.com/create-a-pfx-file-with-a-certificate-chain/</A></P><P>&nbsp;</P> Thu, 08 Jul 2021 05:02:21 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123246#M17676 i80r 2021-07-08T05:02:21Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123248#M17677 <P>Strictly speaking you should not include CA root certificate in a chain. It is supposed to be fetched from a local trusted store. For Windows that is&nbsp;<STRONG>Trusted Root Certificate Authorities</STRONG> store and for CheckPoint that is <STRONG>Trusted CAs</STRONG> store.</P> <P>If your software *requires* CA root certificate to be included in the chain then that is kind of not correct...</P> Thu, 08 Jul 2021 05:08:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123248#M17677 HristoGrigorov 2021-07-08T05:08:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123251#M17678 <P>The software does fetch CA from a trusted store but apparently not all of the android devices have Sectigo root certificate in it.</P> Thu, 08 Jul 2021 05:12:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-certificate-chain/m-p/123251#M17678 i80r 2021-07-08T05:12:45Z