topic Re: Import a trusted CA cert to Gaia OS in General Topics

Import a trusted CA cert to Gaia OS

Ryan_Ryan — Mon, 22 Nov 2021 02:29:36 GMT

Hi,

we have our Checkpoint manager behind another device doing HTTPS inspection, what we need is to import its cert as a trusted root ca to the operating system so its trusted, like you would need to do for all Windows/Linux clients behind a checkpoint gateway doing inspection.

Is this possible? I have tried adding it to the https inspection blade trusted CA list but it still shows an untrusted error when connecting.

Can we access the cert store on a checkpoint box?

cheers

Re: Import a trusted CA cert to Gaia OS

G_W_Albrecht — Mon, 22 Nov 2021 08:53:37 GMT

Did you follow sk108202: Best Practices - HTTPS Inspection and use "Update certificate list" option ?

Re: Import a trusted CA cert to Gaia OS

Ryan_Ryan — Mon, 22 Nov 2021 20:31:14 GMT

Hi yes I have read that, however it's not really my case, my checkpoint manager is not doing https inspection and should have no configuration relating to that, its behind another device doing https inspection (for arguments sakes lets say its not a checkpoint nor a device we have management of and bypassing is not possible), how can I make the manager trust it as a root CA?

Is there access to the gaia system cert store I can drop the certificate in? normal linux systems you can copy and paste the cert to ca-certificates folder but I dont see any such folder on checkpoint

Re: Import a trusted CA cert to Gaia OS

genisis__ — Mon, 22 Nov 2021 22:24:52 GMT

I've done something similar, but sure if its applicable in this case.

My requirement was to allow the CP Mgr access to the internet via a Fortigate which was doing https inspection. Therefore the only way to achieve this was to ensure the Fortigates certificate was trusted by the Mgr.

We had to add the cert in two places, the reason for this was to firstly ensure the Application level could get updates ie. IPS etc, and secondly so that the OS could get updates, ie. Jumbos etc.

The way I got it working was never confirmed as a supported solution by TAC, but at the same time they never really gave me a solution either.

Is this what you want to do?

Re: Import a trusted CA cert to Gaia OS

Ryan_Ryan — Mon, 22 Nov 2021 22:25:58 GMT

yes 100% what i need!

Could you please share how to do it? thanks!

Re: Import a trusted CA cert to Gaia OS

genisis__ — Fri, 03 May 2024 10:26:27 GMT

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint Manager (assuming that this is where the issue is).

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

Re: Import a trusted CA cert to Gaia OS

Ryan_Ryan — Wed, 24 Nov 2021 01:28:16 GMT

thank you!! that did the trick.

Re: Import a trusted CA cert to Gaia OS

Max91 — Mon, 25 Mar 2024 12:11:21 GMT

Hey,

On which machine should you edit the CA-Bundle file mgmt or gateways?

Do I need to run an update command? for example "rehash_ca_bundle?

Thank You

Re: Import a trusted CA cert to Gaia OS

G_W_Albrecht — Tue, 26 Mar 2024 10:22:13 GMT

- mgmt

- no, you add it manually

Re: Import a trusted CA cert to Gaia OS

emreturkmenler — Wed, 01 May 2024 13:01:25 GMT

My purpose is to add our local root Certificate as we're having some issues, wondering if this will solve the inspection issue.

Do we just add the root certificate as text to this bundle-ca.crt file and nothing else?

Re: Import a trusted CA cert to Gaia OS

PhoneBoy — Wed, 01 May 2024 14:49:27 GMT

Root CA and any intermediate CAs needed to validate the relevant certificates.