This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
B_P
Advisor
‎2021-10-14 09:56 AM

Manually Import Root CA to "Trusted CAs" List (Let's Encrypt's "ISRG Root X1")

The Check Point automated Root CA hasn't updated to include the Let's Encrypt "ISRG Root X1" cert and now we're getting errors on various Let's Encrypt sites. Is there a way I can manually import the root CA to the Trusted CAs list? sk64521 doesn't help.

Edit: cert it is there, it's a different issue.

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2021-10-14 10:02 AM

The sk talks about updating our CA bundle, but you can add any root CA you wish to the store.

0 Kudos
B_P
Advisor
‎2021-10-14 10:06 AM
In response to PhoneBoy

Do you know how, exactly? It appears to only want Zip files and I tried zipping the cert into a zip and importing, but nothing happened.

0 Kudos
PhoneBoy
Admin
Admin
‎2021-10-14 01:00 PM
In response to B_P

The "Update Certificate List" is a special offline file from us.
I was thinking the "Add" button would allow you to upload a trusted CA, but that doesn't appear to be the case.
I suspect a TAC case is necessary here.

 

0 Kudos
Tobias_Moritz
Advisor
‎2021-10-15 07:20 AM

The ISRG Root X1 is from 2015 and is in the Check Point provided Root CA package for a while. I guess this package was not updated a while on your management server. This process was semi-automatic until the versions mentioned in sk173629 and even the automatic part of this semi-automatic process was broken on every environment I saw yet. I mean there was no "update available" banner like shown in sk64521.

I suggest you search for the most recent zip file on your management server. On R80.40, it is here:

/opt/CPshrd-R80.40/database/downloads/TRUSTED_CA/2.0/2.8/updateFile.zip

Download this zip file to your windows machine running SmartDashboard and upload it using Actions -> Update certificate list.

You will get a preview window showing you which CA will be deleted and which will be added, so you can double check before installing it.

If you do not see 2.8 version of this package on your management server, I think you need a TAC case checking why. But I guess you will find it there.

0 Kudos
cezar_varlan1
Collaborator
‎2021-10-29 05:01 AM
In response to Tobias_Moritz

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Let’s Encrypt’s root certificate has expired, and it might break your devices | TechCrunch

 

We don;t know if this updated file has the remediated CA. My CA file is from the 9th of June for example

 

@Tobias_Moritz your suggestion worked however the easier way is to push the button [Only appears when you have updates, and i had already pressed it]

 

 

 

 

 

Preview file
3 KB
0 Kudos
Tobias_Moritz
Advisor
‎2021-10-29 05:16 AM
In response to cezar_varlan1

Please elaborate.

I'm not seeing where I was off-point here. The OP was asking how to add "ISRG Root X1" to CP Trusted CA list because he thought it was missing and causes his problems.

Deamon and I were answering approprietly.

Later, OP edited his post and said that the "ISRG Root X1" was already there and the real problem is another.

You are just linking to the general information, that all people who forgot to update their CA chains (it whatever tools) despite the expiration of the old cross-signed chain was well known for many years.

Check Point did not forgot it (it was added to the provided updateFile.zip long ago), but due to the quite broken update mechanism, it was not so unlikly that OPs SMS did not have it installed yet. That was the whole point of my post.

Am I missing something?

0 Kudos
(1)
PhoneBoy
Admin
Admin
‎2021-10-29 08:50 AM
In response to Tobias_Moritz

I think you got it.
This has been improved, thankfully, but may require a manual step (and upgrade to latest JHF): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events