Q1 - that's the problem Val - SmartDashboard did not show that 🙂 Even though it was downloaded and available on the disk after digging into it with CLI. Hence my rant about "flaky-ness" 

Then you most probably installed the lates one already. Once again, please take it with TAC

NP, will take up with our SE. Just wondered if there was a general knowledge out there about the topic 🙂

We have the same problem and our partner told us they never saw this working for any of their customers.

We opened a TAC case and the outcome (from T3) was:

"I have consulted with our colleagues at R&D, they have informed that they are aware of this issue and are currently working on a fix. Once it is completed it will then be integrated in the Main Jumbo."

That was mid of March. Not seen something related on Jumbo Release Notes yet, so I guess its still unfixed.

Here we go:

Hello

Do you use portable mode or did you installed the Smart Console?

BTW, could you confirm that ver 2.7 is the latest for Trusted CAs? 🙂

Yes, it is

I'm sorry, I'm not familiar with that aspect of the feature.

I'll try to get feature owner to answer.

A few of the CAs are missing on my system as well but not all of them. The Azure CAs are missing for example. In the path I also see version 2.7 on my system.

As far as I know the Azure certificates are not missing in 2.7, you can try to install it. Did you install it?

yes indeed i did install 2.7 maually.

But - couple of days after manual CA addition. So that could be reason why they still show as "user" defined

That's why it would be nice to have an SK that would list the contents of update 2.7 and any new ones 🙂

How do I install the version manually? Last Update Time says: 1619516783 (today) and I don't have a pop-up in SmartDashboard. Do I have to change the value in the SK to force it? 

you don't need to have: Microsoft Azure TLS Issuing CA 01

you have its parent see image,

if you suspect you have missing certificate, download it, go to its properties and look if you have a parent in its chain,

I downloaded it from MDS/CMA to laptop:

and then used SmartDashboard to import:

Good, you have the latest bundle, the certificate that are missing should not be there, you have its parents as shown in image.
You cannot have all the certificates in the world... so you have only the ones in the "top" to confirm all the rest.

A quick question do you use portable smart console or did you install it?

SmartConsole is installed, not portable.

If that cert was missing we were getting "Detect" logs that site could not be categorised as cert was not trusted, for example

That may happen before installing the last bundle,

Once you have "DigitCert Global root G2" the 'parent' in the image you don't have to install any of its descendants, this is how it works (https://knowledge.digicert.com/solution/SO16297.html#:~:text=What%20is%20a%20Certificate%20Chain,and....).

OK, let me remove my manual intermediate certs and I'll let you know! 🙂

We are running "HTTPS lite" and it looks like our trusted CA list has not been updated.

My understanding is that version 2.8 is now the latest trusted CA list. How do I know which version is currently running?

I am not able to find the TRUSTED_CA directory in "$CPDIR/database/downloads/" as shown in the beginning of this post:

[Expert@mds01:0]# cd $CPDIR/database/downloads/
[Expert@mds01:0]# ls -l
total 0
drwx------ 3 admin config 23 Feb 12 2021 ADDITIONAL_HARDWARE
drwx------ 3 admin root 17 Feb 12 2021 CA_BUNDLE
drwx------ 3 admin config 20 Feb 12 2021 REPORTS_UPDATE
drwx------ 3 admin config 23 Feb 12 2021 SLIM_FW_TYPES
[Expert@mds01:0]#

I am however able to find updateFile.zip in the following locations:

[Expert@mds01:0]# find / -name updateFile.zip
/var/opt/CPmds-R80.40/customers/fwman1/CPsuite-R80.40/fw1/conf/SMC_Files/trusted_ca/updateFile.zip
/var/opt/CPmds-R80.40/customers/fwman1/CPshrd-R80.40/database/downloads/TRUSTED_CA/2.0/2.7/updateFile.zip
/var/opt/CPmds-R80.40/customers/fwman1/CPshrd-R80.40/database/downloads/TRUSTED_CA/2.0/2.8/updateFile.zip

I have never been informed about any updates in the GUI though the checkbox in SmartDashboard is checked.

Do you see any risks of manually updating the trusted CA list to 2.8?

Our MDS is running R80.40, take 91 and the security gateways R80.20, take 190.

Thanks for your help!

Best regards,

Harry

Latest CA's currently are valid from January 15th, 2021 in v2.8.

On an MDS you would have to change into the specific mdsenv first and then go to the relevant TRUSTED_CA directory. The SmartConsole notification about available updates doesn't sometimes work for me as well. I don't see any risk of updating manually through SmartConsole to 2.8 as SmartConsole does various checks before it's actually importing the CA's. As always you should do recent updates of your MDS in case anything goes wrong.

Thanks for your help @Danny I updated the trusted CA list manually, pushed the policies and now it seems to be working properly.