Re: Trusted CA list update issues

Emil_T · ‎2025-11-02

My trusted CA lists is outdated.

I have Trusted CAs configured to "Download and install updates automatically"

Diagnose steps I took:

cat $CPDIR/database/downloads/TRUSTED_CA/2.0/Update_Status.dat

[Expert@fc-fw-mgmt:0]# cat Update_Status.dat
(
:Last_Update_Status (3)
:Last_Update_Time (1762070951)
:Last_Update_Reason ()
:Success_Time (1756302852)
)

[Expert@fc-fw-mgmt:0]# date -d 1756302852d @
Wed Aug 27 16:54:12 IDT 2025

[Expert@fc-fw-mgmt:0]# date -d @176207095
Sun Nov 2 10:09:11 IST 2025

[Expert@fc-fw-mgmt:0]# ll
total 16
drwx------ 2 admin root 56 Aug 12 16:53 3.8
drwx------ 2 admin root 56 Aug 27 16:54 3.9
-rw-rw-r-- 1 admin config 113 Nov 2 10:09 Update_Status.dat
-rw-rw---- 1 admin root 66 Aug 27 16:54 last_revision.xml
-rw-rw---- 1 admin config 66 Aug 27 16:54 last_revision_old.xml
-rw-rw---- 1 admin root 10 Aug 27 16:54 tmp_revisions_order.txt

Looks like it had a successful update 2 months ago

I have looked into few articles and threads such as:

https://support.checkpoint.com/results/sk/sk64521

https://support.checkpoint.com/results/sk/sk173629

https://support.checkpoint.com/results/sk/sk132812

https://support.checkpoint.com/results/sk/sk64521

https://community.checkpoint.com/t5/Management/Updating-trusted-CA-list-on-mgmt-server/m-p/150614

https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-root-CA-updates/td-p/5006

None of those has information regarding updates logs or troubleshoot.

Ver: R81.20

R81_20_JUMBO_HF_MAIN Take: 113

How do I know the list is not updated?
For example: msn.com chain is DigiCert Global Root G2 > Microsoft Azure RSA TLS Issuing CA 03 > *.msn.com
DigiCert Global Root G2 is missing from the list.

I also get HTTPS inspection errors like:

Certificate Chain is not signed by a Trusted CA. Refer to sk179944 for more details.
Certificate DN: 'CN=*.msn.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US' Requested Server Name: msn.com

the_rock · ‎2025-11-02

I dont sadly have R81.20 to test, but I believe this is all auto updated in R82.

Best,
Andy

Emil_T · ‎2025-11-02

It's autoupdates in 81.20 as well

What I need is logs...

the_rock · ‎2025-11-02

try this filter in the logs:

blade:"HTTPS Inspection"

Best,
Andy

Emil_T · ‎2025-11-02

Nop, this shows only inspection traffic logs

the_rock · ‎2025-11-02

Let me see if I can figure this out in the lab tomorrow. So essentially, you want to see logs when trusted CA list has been updated, correct?

Best,
Andy

Emil_T · ‎2025-11-02

Yes. What I really need is to see the failure log / debug because it's not updating

Thx

the_rock · ‎2025-11-02

Does anything come up if you search for “Untrusted Certificate – Certificate Chain is not signed by a Trusted CA” or just “Untrusted Certificate"?

Best,
Andy

Emil_T · ‎2025-11-02

Yes, exactly like I wrote in the issue description:

Quote:
"I also get HTTPS inspection errors like:

Certificate Chain is not signed by a Trusted CA. Refer to sk179944 for more details.
Certificate DN: 'CN=*.msn.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US' Requested Server Name: msn.com"

the_rock · ‎2025-11-03

I know thats what you wrote, thats why I was wondering if you see any logs with those messages?

Best,
Andy

Emil_T · ‎2025-11-03

Yes. This s the log I see in traffic monitor: (This is one example)
Certificate Chain is not signed by a Trusted CA. Refer to sk179944 for more details.
Certificate DN: 'CN=*.msn.com,O=Microsoft Corporation,L=Redmond,ST=WA,C=US' Requested Server Name: msn.com"

the_rock · ‎2025-11-03

Hm...thats a bit odd. Not sure why it would give an sk related to standalone config.

Best,
Andy

Emil_T · ‎2025-11-03

Yeah but that's not important. The issue here is the CA updating.

the_rock · ‎2025-11-03

I get it. Might be worth TAC case, if you had not opened one yet.

Best,
Andy

the_rock · ‎2025-11-03

Hey Emil,

This is what I was referring to.

Best,
Andy

the_rock · ‎2025-11-02

This is what I was referring to (attached)

Best,
Andy

Emil_T · ‎2025-11-03

Yes. It is set. I attached a screenshot in the original question. In my version it's slightly different. But it is set to automatic and I need the debug logs to understand what is the problem with the updates

the_rock · ‎2025-11-04

Hey mate,

Please let us know once you figure this out, Im also super curious.

Best,
Andy

Are you a member of CheckMates?

Trusted CA list update issues