Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ryan_Ryan
Advisor

Import a trusted CA cert to Gaia OS

Jump to solution

Hi,

 

we have our Checkpoint manager behind another device doing HTTPS inspection, what we need is to import its cert as a trusted root ca to the operating system so its trusted, like you would need to do for all Windows/Linux clients behind a checkpoint gateway doing inspection.

 

Is this possible? I have tried adding it to the https inspection blade trusted CA list but it still shows an untrusted error when connecting. 

 

Can we access the cert store on a checkpoint box?

 

cheers

 

1 Solution

Accepted Solutions
genisis__
Advisor

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint device.

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

View solution in original post

(1)
7 Replies
G_W_Albrecht
Legend
Legend

Did you follow sk108202: Best Practices - HTTPS Inspection and use "Update certificate list" option ?

CCSE CCTE SMB Specialist
0 Kudos
Ryan_Ryan
Advisor

Hi yes I have read that, however it's not really my case, my checkpoint manager is not doing https inspection and should have no configuration relating to that, its behind another device doing https inspection (for arguments sakes lets say its not a checkpoint nor a device we have management of and bypassing is not possible), how can I make the manager trust it as a root CA?

Is there access to the gaia system cert store I can drop the certificate in? normal linux systems you can copy and paste the cert to ca-certificates folder but I dont see any such folder on checkpoint 

genisis__
Advisor

I've done something similar, but sure if its applicable in this case.

My requirement was to allow the CP Mgr access to the internet via a Fortigate which was doing https inspection.  Therefore the only way to achieve this was to ensure the Fortigates certificate was trusted by the Mgr.

We had to add the cert in two places, the reason for this was to firstly ensure the Application level could get updates ie. IPS etc, and secondly so that the OS could get updates, ie. Jumbos etc.

The way I got it working was never confirmed as a supported solution by TAC, but at the same time they never really gave me a solution either.

 

Is this what you want to do? 

Ryan_Ryan
Advisor

yes 100% what i need!

 

Could you please share how to do it? thanks!

G_W_Albrecht
Legend
Legend

Why do you need to https inspect known traffic that is secure ? I would just bypass this traffic !

CCSE CCTE SMB Specialist
0 Kudos
genisis__
Advisor

Here is the note I made:

How to get updates working when there is an upstream Proxy doing Deep SSL Inspection:
You will need to export the CA file from the upstream device and then add this to the ca-bundle.crt file in two locations on the Checkpoint device.

$CPDIR/conf/ca-bundle.crt <-- This is so that Application level updates can work.
$FWDIR/bin/ca-bundle.crt <-- This is so that GAIA level updates work.

Note this has been tested from a R80.40 SMS. However important to note that the file could change as part of upgrade or jumbo installation.

Additionally the above solution is not supported by TAC.

View solution in original post

(1)
Ryan_Ryan
Advisor

thank you!! that did the trick.