topic Re: Trusted CA list update issues in Firewall and Security Management

Trusted CA list update issues

Emil_T — Sun, 02 Nov 2025 20:50:39 GMT

My trusted CA lists is outdated.

I have Trusted CAs configured to "Download and install updates automatically"

Diagnose steps I took:

cat $CPDIR/database/downloads/TRUSTED_CA/2.0/Update_Status.dat

[Expert@fc-fw-mgmt:0]# cat Update_Status.dat
(
:Last_Update_Status (3)
:Last_Update_Time (1762070951)
:Last_Update_Reason ()
:Success_Time (1756302852)
)

[Expert@fc-fw-mgmt:0]# date -d 1756302852d @
Wed Aug 27 16:54:12 IDT 2025

[Expert@fc-fw-mgmt:0]# date -d @176207095
Sun Nov 2 10:09:11 IST 2025

[Expert@fc-fw-mgmt:0]# ll
total 16
drwx------ 2 admin root 56 Aug 12 16:53 3.8
drwx------ 2 admin root 56 Aug 27 16:54 3.9
-rw-rw-r-- 1 admin config 113 Nov 2 10:09 Update_Status.dat
-rw-rw---- 1 admin root 66 Aug 27 16:54 last_revision.xml
-rw-rw---- 1 admin config 66 Aug 27 16:54 last_revision_old.xml
-rw-rw---- 1 admin root 10 Aug 27 16:54 tmp_revisions_order.txt

Looks like it had a successful update 2 months ago

I have looked into few articles and threads such as:

https://support.checkpoint.com/results/sk/sk64521

https://support.checkpoint.com/results/sk/sk173629

https://support.checkpoint.com/results/sk/sk132812

https://support.checkpoint.com/results/sk/sk64521

https://community.checkpoint.com/t5/Management/Updating-trusted-CA-list-on-mgmt-server/m-p/150614

https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-root-CA-updates/td-p/5006

None of those has information regarding updates logs or troubleshoot.

Ver: R81.20

R81_20_JUMBO_HF_MAIN Take: 113

How do I know the list is not updated?
For example: msn.com chain is DigiCert Global Root G2 > Microsoft Azure RSA TLS Issuing CA 03 > *.msn.com
DigiCert Global Root G2 is missing from the list.

I also get HTTPS inspection errors like:

Certificate Chain is not signed by a Trusted CA. Refer to sk179944 for more details.
Certificate DN: 'CN=*.msn.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US' Requested Server Name: msn.com

Re: Trusted CA list update issues

the_rock — Sun, 02 Nov 2025 21:25:24 GMT

I dont sadly have R81.20 to test, but I believe this is all auto updated in R82.

Re: Trusted CA list update issues

the_rock — Sun, 02 Nov 2025 21:34:00 GMT

This is what I was referring to (attached)

Re: Trusted CA list update issues

Emil_T — Sun, 02 Nov 2025 21:46:16 GMT

It's autoupdates in 81.20 as well

What I need is logs...

Re: Trusted CA list update issues

the_rock — Sun, 02 Nov 2025 21:50:56 GMT

try this filter in the logs:

blade:"HTTPS Inspection"

Re: Trusted CA list update issues

Emil_T — Sun, 02 Nov 2025 22:04:36 GMT

Nop, this shows only inspection traffic logs

Re: Trusted CA list update issues

the_rock — Sun, 02 Nov 2025 22:42:33 GMT

Let me see if I can figure this out in the lab tomorrow. So essentially, you want to see logs when trusted CA list has been updated, correct?

Re: Trusted CA list update issues

Emil_T — Sun, 02 Nov 2025 22:48:32 GMT

Yes. What I really need is to see the failure log / debug because it's not updating

Thx

Re: Trusted CA list update issues

the_rock — Sun, 02 Nov 2025 22:53:29 GMT

Does anything come up if you search for “Untrusted Certificate – Certificate Chain is not signed by a Trusted CA” or just “Untrusted Certificate"?

Re: Trusted CA list update issues

Emil_T — Mon, 03 Nov 2025 06:58:31 GMT

Yes, exactly like I wrote in the issue description:

Quote:
"I also get HTTPS inspection errors like:

Certificate Chain is not signed by a Trusted CA. Refer to sk179944 for more details.
Certificate DN: 'CN=*.msn.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US' Requested Server Name: msn.com"

Re: Trusted CA list update issues

the_rock — Mon, 03 Nov 2025 12:32:47 GMT

I know thats what you wrote, thats why I was wondering if you see any logs with those messages?

Re: Trusted CA list update issues

the_rock — Mon, 03 Nov 2025 13:04:39 GMT

Hey Emil,

This is what I was referring to.

Re: Trusted CA list update issues

Emil_T — Mon, 03 Nov 2025 14:17:45 GMT

Yes. This s the log I see in traffic monitor: (This is one example)
Certificate Chain is not signed by a Trusted CA. Refer to sk179944 for more details.
Certificate DN: 'CN=*.msn.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US' Requested Server Name: msn.com"

Re: Trusted CA list update issues

Emil_T — Mon, 03 Nov 2025 14:20:10 GMT

Yes. It is set. I attached a screenshot in the original question. In my version it's slightly different. But it is set to automatic and I need the debug logs to understand what is the problem with the updates

Re: Trusted CA list update issues

the_rock — Mon, 03 Nov 2025 14:20:52 GMT

Hm...thats a bit odd. Not sure why it would give an sk related to standalone config.

Re: Trusted CA list update issues

Emil_T — Mon, 03 Nov 2025 14:25:52 GMT

Yeah but that's not important. The issue here is the CA updating.

Re: Trusted CA list update issues

the_rock — Mon, 03 Nov 2025 14:28:26 GMT

I get it. Might be worth TAC case, if you had not opened one yet.

Re: Trusted CA list update issues

the_rock — Tue, 04 Nov 2025 20:20:14 GMT

Hey mate,

Please let us know once you figure this out, Im also super curious.