cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

HTTPS inspection root CA updates

I have observed that some firewall managers in the field are being notified of updates to the HTTPS root Trusted Root CAs list that the firewalls use for HTTPS inspection and others are not. In all cases they have 'notify when a trusted CA and blacklist update file is available for installation' ticked.

Keeping this list up to date is vital, as recent issues with Microsoft Updates failing to be properly excluded from HTTPS inspection due to missing root CAs has clearly demonstrated to me.

There's a Check Point article sk64521 which says this process is automated but gives a method for a manual update, but is uses the rather glib throw away line of:  At the top, click on Actions button - select Update certificate list... - browse for the ZIP file with certificates - click on Open

Does anyone know where to obtain this .zip file from?

I was wondering if I could try to get it from a siote where the download had been successful, but I don;t know where it would be downloaded to or what it might be called.

Thee's no clues that I can find in the aforementioned article.

Anyone had any success with updating this list manually?

5 Replies

Re: HTTPS inspection root CA updates

I did not update this file manually but I'm pretty sure that you can open a live chat and ask for that file

0 Kudos
Admin
Admin

Re: HTTPS inspection root CA updates

The file is provided on Download Center (i.e. where most updates your gateway receives updates from), but the exact location is not disclosed.

Even so, the file downloaded is signed and not meant to be modified.

However, if you want to modify the trusted CA list for HTTPS Inspection, this can be done in SmartDashboard.

In R80 and R80.10 SmartConsole, go to Manage & Settings > Blades > HTTPS Inspection and click on the Configure in SmartDashboard link.

In R77.30 and earlier SmartDashboard, go to Application & URL Filtering > Advanced > HTTPS Inspection > Trusted CAs.

Re: HTTPS inspection root CA updates

Thanks, I appreciate the reply.

 

I'm not looking to modify the file or the list by adding a CA or taking one away. What I'm looking to do is get a management server up to date, exactly as in the file to be like one that has auto-updated, by using the instructions in the SK article but I can't because I don't know how to obtain the ZIP file.

 

Most sites get the updates automatically downloaded but on one or two, (including my own), it just doesn't do it so so was looking to kick off the update.

I'll try opening a chat dialog as Marco suggests and see what happens. I'll report back if it works...

I have heard from a colleague that 183 changes were made in the last update that he received so it's pretty important to keep this up to date., I have personally observed problems with the exceptions for Windows updates on sites where the root CA list was not up to date. Microsoft has four root CAs last time I checked and all four are essential.

0 Kudos
Admin
Admin

Re: HTTPS inspection root CA updates

You may want to have a look at this SK and see if it provides any clues: "curl: (900) servercert: Error - server certificate validation failed!" when running "curl_cli" comm... 

0 Kudos

Re: HTTPS inspection root CA updates

I used to Import Root certificate manually(exported it to *.cer file from browser). It partly solved the issue, but zip file with all Root certificates needed. 

0 Kudos