cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Vladimir
Pearl

Replacement of Outbound Certificate for HTTPS inspection

Jump to solution

I have run into this issue today when trying to replace the outbound certificate on one of my lab gateways.

New certificate was issued by following sk108641 How to Renew or Import a new HTTPS Inspection certificate 

Changes were saved, Policy published and installed and the gateway rebooted (reboot was not in the sk).

New certificate was distributed to the clients and installed.

Still am seeing original certificate in the property of the gateway's HTTPS Inspection:

 

As well as in the clients accessing the Internet through this gateway.

My questions are: what should be done to actually replace the cert on the gateway and if there is a CRL function that could be used to bag the old one.

Thank you,

Vladimir

1 Solution

Accepted Solutions
Vladimir
Pearl

Re: Replacement of Outbound Certificate for HTTPS inspection

Jump to solution

OK. This issue is solved:

In addition to saving changes, publishing and installing Access Control policy, the Threat Prevention policy must be reinstalled as well. This will allow the new certificate to take effect, but the HTTPS certificate in the gateway's properties will still be showing the old cert.

SmartConsole must be closed and you have to log in to it again in order to show the new certificate in the gateway's properties.

4 Replies
Vladimir
Pearl

Re: Replacement of Outbound Certificate for HTTPS inspection

Jump to solution

OK. This issue is solved:

In addition to saving changes, publishing and installing Access Control policy, the Threat Prevention policy must be reinstalled as well. This will allow the new certificate to take effect, but the HTTPS certificate in the gateway's properties will still be showing the old cert.

SmartConsole must be closed and you have to log in to it again in order to show the new certificate in the gateway's properties.

Tom_Cripps
Copper

Re: Replacement of Outbound Certificate for HTTPS inspection

Jump to solution

Hi Vladimir, 

We're facing a similar issue with this, we're now looking to import a new certificate as our outbound certificate. I'm guessing the format of the certificate is for it to being issued by itself yes? I've seen document of like first time installations on HTTPS inspection and there is a "create" button when first deploying it. I'm guessing we would need to do, install from a file as it will be a new certificate and then add the password bound to the certificate.

Then we will need to export and deploy across our domain then.

0 Kudos
Vladimir
Pearl

Re: Replacement of Outbound Certificate for HTTPS inspection

Jump to solution

Tom, please clarify what you are trying to achieve.

When you are stating that you are trying to "Import new certificate", is this on the gateway or on hosts behind it?

Normally, you would use self-signed CA cert on the gateway, as it is a root CA or Sub CA capable of issuing certs for any inspected web sites.

See:

HTTPS inspection with 3rd party certificate shows browser error 

If you are simply trying to replace the outbound cert, follow my post above and re-deploy the cert through your environment to the clients/hosts using either group policy, scripted or manual installation.

0 Kudos
Tom_Cripps
Copper

Re: Replacement of Outbound Certificate for HTTPS inspection

Jump to solution

Hi Vladimir, 

We seem to have it under control now. We was trying to get a new certificate on the Gateways using the import from file option. We just need to trust the outbound certificate in the Trusted CA's part in SmartDashboard

0 Kudos