This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ryan_Ryan
Advisor
‎2021-11-21 06:29 PM
Jump to solution

Import a trusted CA cert to Gaia OS

Hi,

 

we have our Checkpoint manager behind another device doing HTTPS inspection, what we need is to import its cert as a trusted root ca to the operating system so its trusted, like you would need to do for all Windows/Linux clients behind a checkpoint gateway doing inspection.

 

Is this possible? I have tried adding it to the https inspection blade trusted CA list but it still shows an untrusted error when connecting. 

 

Can we access the cert store on a checkpoint box?

 

cheers

 

1 Solution

Accepted Solutions
genisis__
Mentor Mentor
Mentor
‎2021-11-23 01:46 AM
In response to Ryan_Ryan
Jump to solution

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint Manager (assuming that this is where the issue is).

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

View solution in original post

(1)
10 Replies
G_W_Albrecht
Legend Legend
Legend
‎2021-11-22 12:53 AM
Jump to solution

Did you follow sk108202: Best Practices - HTTPS Inspection and use "Update certificate list" option ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Ryan_Ryan
Advisor
‎2021-11-22 12:31 PM
In response to G_W_Albrecht
Jump to solution

Hi yes I have read that, however it's not really my case, my checkpoint manager is not doing https inspection and should have no configuration relating to that, its behind another device doing https inspection (for arguments sakes lets say its not a checkpoint nor a device we have management of and bypassing is not possible), how can I make the manager trust it as a root CA?

Is there access to the gaia system cert store I can drop the certificate in? normal linux systems you can copy and paste the cert to ca-certificates folder but I dont see any such folder on checkpoint 

genisis__
Mentor Mentor
Mentor
‎2021-11-22 02:23 PM
In response to Ryan_Ryan
Jump to solution

I've done something similar, but sure if its applicable in this case.

My requirement was to allow the CP Mgr access to the internet via a Fortigate which was doing https inspection.  Therefore the only way to achieve this was to ensure the Fortigates certificate was trusted by the Mgr.

We had to add the cert in two places, the reason for this was to firstly ensure the Application level could get updates ie. IPS etc, and secondly so that the OS could get updates, ie. Jumbos etc.

The way I got it working was never confirmed as a supported solution by TAC, but at the same time they never really gave me a solution either.

 

Is this what you want to do? 

Ryan_Ryan
Advisor
‎2021-11-22 02:25 PM
In response to genisis__
Jump to solution

yes 100% what i need!

 

Could you please share how to do it? thanks!

genisis__
Mentor Mentor
Mentor
‎2021-11-23 01:46 AM
In response to Ryan_Ryan
Jump to solution

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint Manager (assuming that this is where the issue is).

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

(1)
Ryan_Ryan
Advisor
‎2021-11-23 05:28 PM
In response to genisis__
Jump to solution

thank you!! that did the trick.

Max91
Participant
‎2024-03-25 05:11 AM
In response to genisis__
Jump to solution

Hey,

On which machine should you edit the CA-Bundle file mgmt or gateways?  

Do I need to run an update command? for example "rehash_ca_bundle?  

Thank You 

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2024-03-26 03:22 AM
In response to Max91
Jump to solution

- mgmt

- no, you add it manually

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
emreturkmenler
Contributor
‎2024-05-01 06:01 AM
In response to G_W_Albrecht
Jump to solution

My purpose is to add our local root Certificate as we're having some issues, wondering if this will solve the inspection issue.

Do we just add the root certificate as text to this bundle-ca.crt file and nothing else?

0 Kudos
PhoneBoy
Admin
Admin
‎2024-05-01 07:49 AM
In response to emreturkmenler
Jump to solution

Root CA and any intermediate CAs needed to validate the relevant certificates.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events