Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

HTTPS Inspection - Chain Errors

Jump to solution

Hi all,

I have a gateway running 80.20 M2 and I recently enabled SSL Inspection for a small group. It is working correctly (I see our cert in the browser and no warnings), but I see some strange errors in the logs and sometimes in the browser about the "certificate chain not signed by a trusted CA".

When I look at the certificate, it seems to be missing the original CA and didn't insert our CA/cert.

For example, normal certs look like: DigicertCA-->www.CDWG.com
Inspection working: MYEnterpriseCA-->www.CDWG.com
When I see errors it looks like: www.CDWG.com

Am I missing something?

Thanks!

--Ben

2019-03-29 12_45_01-csd8-management - Remote Desktop Connection Manager v2.7.png2019-03-29 12_54_01-Certificate Viewer_ “www.cdwg.com”.png

 

3 Solutions

Accepted Solutions
Highlighted

Hi @Benjamin_Lamber 

the DigiCert certificate is not in R80.20 root certificate store.

So you get a certificate chain error.

View solution in original post

Tags (1)
Highlighted
Participant

Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.

Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?

Thank you very much!

--Ben

View solution in original post

8 Replies
Highlighted
Admin
Admin

It’s impossible for a gateway to be running R80.20.M2 because that’s a Management-only release. What is the gateway actually running here? Also, is this happening consistently for specific sites or at random?

0 Kudos
Highlighted

Hi @Benjamin_Lamber 

the DigiCert certificate is not in R80.20 root certificate store.

So you get a certificate chain error.

View solution in original post

Tags (1)
Highlighted

Here the root certificate. This certificate is not in the root certificate store.

Screenshot_20190330-180412_Chrome.jpg

Tags (1)
0 Kudos
Highlighted

Here the intermediate certificate:

Screenshot_20190330-183202_Chrome.jpg

Tags (1)
Highlighted

And here the web server certificate:

Screenshot_20190330-182852_Chrome.jpg

Tags (1)
0 Kudos

Sorry for the german names in the pictures. I write on a samsung tab s4 and I cannot change the browser to english.

Tags (1)
Highlighted
Participant

Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.

Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?

Thank you very much!

--Ben

View solution in original post