https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-and-Qualys-SSL-Labs-results/m-p/256495#M50230 <P>Hi,</P><P>I wanted to find out from others if this behavior is normal or not.&nbsp; Whenver I run an SSL labs qualys check on our systems just to ensure there isn't a broken chain, the systems that I have inbound HTTPS inspection enabled for show up in the results of the chain indicating 'contains anchor'.&nbsp; What I found out is that is inferring that the whole chain including the root certificate is being presented to the client.&nbsp; What I learned is that my systems really only need the internmediate certificate in the chain as the root is normally trusted by the client.&nbsp; When I bypass HTTPS inspection and run the ssl labs test again, It doesn't present any issues with the chain including the 'contains anchor' warning (assuming it's just a warning).</P><P>Anyway, I'm curious if anyone else sees this type of behavior when testing their SSL certificates to ensure there isn't a broken chain or any issues when inbound HTTPS inspection is enabled.</P><P>And I do have the updated P12 certificate imported and applied to the rule.&nbsp;&nbsp;</P><P>But is this normal to see 'contains anchor' when HTTPS inspection is turned on?</P><P>JB</P> Wed, 03 Sep 2025 13:42:07 GMT jberg712 2025-09-03T13:42:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-and-Qualys-SSL-Labs-results/m-p/256495#M50230 <P>Hi,</P><P>I wanted to find out from others if this behavior is normal or not.&nbsp; Whenver I run an SSL labs qualys check on our systems just to ensure there isn't a broken chain, the systems that I have inbound HTTPS inspection enabled for show up in the results of the chain indicating 'contains anchor'.&nbsp; What I found out is that is inferring that the whole chain including the root certificate is being presented to the client.&nbsp; What I learned is that my systems really only need the internmediate certificate in the chain as the root is normally trusted by the client.&nbsp; When I bypass HTTPS inspection and run the ssl labs test again, It doesn't present any issues with the chain including the 'contains anchor' warning (assuming it's just a warning).</P><P>Anyway, I'm curious if anyone else sees this type of behavior when testing their SSL certificates to ensure there isn't a broken chain or any issues when inbound HTTPS inspection is enabled.</P><P>And I do have the updated P12 certificate imported and applied to the rule.&nbsp;&nbsp;</P><P>But is this normal to see 'contains anchor' when HTTPS inspection is turned on?</P><P>JB</P> Wed, 03 Sep 2025 13:42:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-and-Qualys-SSL-Labs-results/m-p/256495#M50230 jberg712 2025-09-03T13:42:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-and-Qualys-SSL-Labs-results/m-p/256530#M50240 <P>To prevent issues with validating the certificate chain, we recommend including the entire certificate chain as part of the import of any CA certificate (including for HTTPS Inspection).<BR />This is likely why you see this result and it would, therefore, be expected.</P> Wed, 03 Sep 2025 17:48:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Inbound-HTTPS-inspection-and-Qualys-SSL-Labs-results/m-p/256530#M50240 PhoneBoy 2025-09-03T17:48:29Z