Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
John_Fenoughty
Collaborator

HTTPS inspection root CA updates

I have observed that some firewall managers in the field are being notified of updates to the HTTPS root Trusted Root CAs list that the firewalls use for HTTPS inspection and others are not. In all cases they have 'notify when a trusted CA and blacklist update file is available for installation' ticked.

Keeping this list up to date is vital, as recent issues with Microsoft Updates failing to be properly excluded from HTTPS inspection due to missing root CAs has clearly demonstrated to me.

There's a Check Point article sk64521 which says this process is automated but gives a method for a manual update, but is uses the rather glib throw away line of:  At the top, click on Actions button - select Update certificate list... - browse for the ZIP file with certificates - click on Open

Does anyone know where to obtain this .zip file from?

I was wondering if I could try to get it from a siote where the download had been successful, but I don;t know where it would be downloaded to or what it might be called.

Thee's no clues that I can find in the aforementioned article.

Anyone had any success with updating this list manually?

5 Replies
Marco_Valenti
Advisor

I did not update this file manually but I'm pretty sure that you can open a live chat and ask for that file

0 Kudos
PhoneBoy
Admin
Admin

The file is provided on Download Center (i.e. where most updates your gateway receives updates from), but the exact location is not disclosed.

Even so, the file downloaded is signed and not meant to be modified.

However, if you want to modify the trusted CA list for HTTPS Inspection, this can be done in SmartDashboard.

In R80 and R80.10 SmartConsole, go to Manage & Settings > Blades > HTTPS Inspection and click on the Configure in SmartDashboard link.

In R77.30 and earlier SmartDashboard, go to Application & URL Filtering > Advanced > HTTPS Inspection > Trusted CAs.

John_Fenoughty
Collaborator

Thanks, I appreciate the reply.

 

I'm not looking to modify the file or the list by adding a CA or taking one away. What I'm looking to do is get a management server up to date, exactly as in the file to be like one that has auto-updated, by using the instructions in the SK article but I can't because I don't know how to obtain the ZIP file.

 

Most sites get the updates automatically downloaded but on one or two, (including my own), it just doesn't do it so so was looking to kick off the update.

I'll try opening a chat dialog as Marco suggests and see what happens. I'll report back if it works...

I have heard from a colleague that 183 changes were made in the last update that he received so it's pretty important to keep this up to date., I have personally observed problems with the exceptions for Windows updates on sites where the root CA list was not up to date. Microsoft has four root CAs last time I checked and all four are essential.

0 Kudos
PhoneBoy
Admin
Admin

You may want to have a look at this SK and see if it provides any clues: "curl: (900) servercert: Error - server certificate validation failed!" when running "curl_cli" comm... 

0 Kudos
Konstantin_Tsoy
Explorer

I used to Import Root certificate manually(exported it to *.cer file from browser). It partly solved the issue, but zip file with all Root certificates needed. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events