Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
B_P
Collaborator

Manually Import Root CA to "Trusted CAs" List (Let's Encrypt's "ISRG Root X1")

The Check Point automated Root CA hasn't updated to include the Let's Encrypt "ISRG Root X1" cert and now we're getting errors on various Let's Encrypt sites. Is there a way I can manually import the root CA to the Trusted CAs list? sk64521 doesn't help.

Edit: cert it is there, it's a different issue.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

The sk talks about updating our CA bundle, but you can add any root CA you wish to the store.

0 Kudos
B_P
Collaborator

Do you know how, exactly? It appears to only want Zip files and I tried zipping the cert into a zip and importing, but nothing happened.

0 Kudos
PhoneBoy
Admin
Admin

The "Update Certificate List" is a special offline file from us.
I was thinking the "Add" button would allow you to upload a trusted CA, but that doesn't appear to be the case.
I suspect a TAC case is necessary here.

 

0 Kudos
Tobias_Moritz
Advisor

The ISRG Root X1 is from 2015 and is in the Check Point provided Root CA package for a while. I guess this package was not updated a while on your management server. This process was semi-automatic until the versions mentioned in sk173629 and even the automatic part of this semi-automatic process was broken on every environment I saw yet. I mean there was no "update available" banner like shown in sk64521.

I suggest you search for the most recent zip file on your management server. On R80.40, it is here:

/opt/CPshrd-R80.40/database/downloads/TRUSTED_CA/2.0/2.8/updateFile.zip

Download this zip file to your windows machine running SmartDashboard and upload it using Actions -> Update certificate list.

You will get a preview window showing you which CA will be deleted and which will be added, so you can double check before installing it.

If you do not see 2.8 version of this package on your management server, I think you need a TAC case checking why. But I guess you will find it there.

0 Kudos
cezar_varlan1
Collaborator

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Let’s Encrypt’s root certificate has expired, and it might break your devices | TechCrunch

 

We don;t know if this updated file has the remediated CA. My CA file is from the 9th of June for example

 

@Tobias_Moritz your suggestion worked however the easier way is to push the button [Only appears when you have updates, and i had already pressed it]

 

 

 

 

 

0 Kudos
Tobias_Moritz
Advisor

Please elaborate.

I'm not seeing where I was off-point here. The OP was asking how to add "ISRG Root X1" to CP Trusted CA list because he thought it was missing and causes his problems.

Deamon and I were answering approprietly.

Later, OP edited his post and said that the "ISRG Root X1" was already there and the real problem is another.

You are just linking to the general information, that all people who forgot to update their CA chains (it whatever tools) despite the expiration of the old cross-signed chain was well known for many years.

Check Point did not forgot it (it was added to the provided updateFile.zip long ago), but due to the quite broken update mechanism, it was not so unlikly that OPs SMS did not have it installed yet. That was the whole point of my post.

Am I missing something?

0 Kudos
(1)
PhoneBoy
Admin
Admin

I think you got it.
This has been improved, thankfully, but may require a manual step (and upgrade to latest JHF): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos