cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Matt_J
Nickel

Inbound SSL Inspection Certificate Issues

Jump to solution

I am trying to setup inbound SSL Inspection for the first time for one of our websites we are deploying. 

I am using a Digicert wildcard certificate that is imported on the CheckPoint and installed on the server itself. I have verified the whole cert chain is installed and that it's the same cert on the CheckPoint and the server. 

If I turn on the SSL Inspection rule and run an SSL check from Digicert, SSL Shopper, etc, it comes back with an error saying that it's missing the intermediate cert. If I turn off the rule, it comes back just fine. 

Chrome works fine but some Android apps will not connect due to the intermediate missing. 

I have a ticket open but just curious if anyone else has had this issue before and how to get around it.

This is a Cloudguard AWS instance running R80.10. No load balancing or anything, just straight to a Windows server running Apache. 

Thanks in advance!

1 Solution

Accepted Solutions
Admin
Admin

Re: Inbound SSL Inspection Certificate Issues

Jump to solution

The .p12 file you import into SmartConsole must include all the intermediate certificates as well.

Otherwise, you see the behavior you are describing.

See: Best Practices - HTTPS Inspection 

View solution in original post

3 Replies
Admin
Admin

Re: Inbound SSL Inspection Certificate Issues

Jump to solution

The .p12 file you import into SmartConsole must include all the intermediate certificates as well.

Otherwise, you see the behavior you are describing.

See: Best Practices - HTTPS Inspection 

View solution in original post

Highlighted
Matt_J
Nickel

Re: Inbound SSL Inspection Certificate Issues

Jump to solution

The cert contains the whole chain. Are you saying I need to pack up the standalone intermediate along with the cert in the p12?

0 Kudos
Matt_J
Nickel

Re: Inbound SSL Inspection Certificate Issues

Jump to solution

Nevermind.. That worked! I packed up both the cert and the intermediate in the p12 and that works now. Can't believe I didn't think of that... I guess I assumed it would use the intermediate in the cert itself. 

Thanks!