Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Henrique_Sauer_
Contributor
Jump to solution

Import a list of certificates!

Is there any option to update all the trusted CAs list?

Where can I find the complete packet of trusted CAs to download?

Is there any option to import my own list?

Thank you

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The list of CAs is updated regularly.

You can export a single CA (not the whole list), but you can see the whole list.

You can also import a single CA (you have to repeat this step multiple times):

View solution in original post

11 Replies
PhoneBoy
Admin
Admin

The list of CAs is updated regularly.

You can export a single CA (not the whole list), but you can see the whole list.

You can also import a single CA (you have to repeat this step multiple times):

Henrique_Sauer_
Contributor

I see, my problem is from time to time we have to import all the governamental certificates and they are more than 100, so it's time-wasting to import one by one.

Should be a nice feature to import many at the same time.

Thank you Dameon!

0 Kudos
Tomer_Sole
Mentor
Mentor

Hi, there isn't an out-of-the-box solution for this at the moment. We will consider this request in our next releases.

Henrique_Sauer_
Contributor

Thank you for your response Tomer Sole.

0 Kudos
cezar_varlan1
Collaborator

One of my customers needs to import a new Trusted Root as several sites are having issues with the fact this is not recognized by Check Point.  Dameon Welch-Abernathy   you saying that for this we should be using "Import outbound Certificate" as this looks more like the the one used for HTTPS Inspection and not Trusted CA i'm looking for. The only other option is to update the whole list with a zip of "unknown" contents with "unknown format" as per sk64521. 

According to sk122973 we could easily solve this issue by importing the Root CA of Digicert Inc. however this SK is inaccurate for 80.20. There is no such thing as 'SmartConsole > HTTPS Inspection > Advanced > Trusted CA > Import' However looking at how SmartConsole looks in R80 (using the traditional console app for HTTPS Inspection) there is no such menu:

Regardless i've put 1-2 stars and Feedback on both SKs and waiting for updates. Check Point actually takes things into consideration and updates them when they get bad feedback. 

0 Kudos
Henrique_Sauer_
Contributor

Hello Cezar,

The sk64521 is to update the list of certificates provided by CheckPoint and it's a ZIP file that CheckPoint TAC can provide you if you open a Ticket.

As per sk122973 the SK says the problem is only for 77.30 and 80.10, for other versions above r80.10 take 112 it seems to not have ever being seen.

If you are experienciend such a problem with those websites mentioned in the SK you should contact TAC.

To import the trusted CA certificate in R80.20 is the same way as in R80.10 (SmartConsole > HTTPS Inspection > Advanced > Trusted CA > Import outbound certificate) as Dameon Welch-Abernathy‌ mentioned.

Regards

PhoneBoy
Admin
Admin

Just checked myself, R77.30 and R80.20 show exactly the same option pictured in the post cezar varlan‌ pasted.
The option is there, though perhaps it is not labeled exactly as noted in the SK.

0 Kudos
cezar_varlan1
Collaborator

Dameon Welch-Abernathy‌ i believe in R77.30 you would have an "Advanced" Tab which is missing in my screenshot from 80.20. However the naming of the button is probably the same.

The SK is still wrong however Smiley Happy

0 Kudos
PhoneBoy
Admin
Admin

The naming of the menu is the same.

Please make sure to leave feedback in the SK so we can improve it.

0 Kudos
cezar_varlan1
Collaborator

The wording using "outbound" is what i believe unfortunate.

Just confirmed with TAC via a SR now. After they have checked, they have confirmed this is the correct import button. 

Probably the SK should have either the full button label, or the label should be shortened. 

Issue is fixed. For some reason the default Check Point trusted list of Root CA's is not complete. Microsoft looks like it trusts this particular cert chain out of the box. Error for " untrusted" Certificate Chain has dissapeared and has been repalced with invalid (OSCP cannot connect) but the traffic works this time. 

Untrusted is automatically blocked, while invalid is allowed.

genisis__
Leader Leader
Leader

Have a question, I need to get blade updates from an SMS working.  The SMS is using a third party proxy to reach the internet.  The Proxy does deep SSL inspection.  I've updated the ca-bundle.crt file on the SMS to include the cert that the Proxy is using.  This gets the GAIA level updates working.

Now when attempting to do application level updates for example IPS update this still fails.  I did attempt to install the cert in the 'Trusted CA's section (Import outbound certificate), but still no luck.

Any suggestions?  I do have a TAC case open but TAC have not come back to me in about 2 days now.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events