Create a Post
Showing results for 
Search instead for 
Did you mean: 

HTTPS Certificate Validation - / Harmony Endpoint


After dealing with some certificate validation issues recently (resolved via sk64521 / sk173629 - slightly frustrating this isn't automatic by default), almost all of the certificate validation errors are gone.

The last remaining validation error is for the FQDN, which logs as follows (identifying & irrelevant info snipped out):

HTTPS Validation: Untrusted Certificate
Description: Certificate DN: ',OU=CIWD,O=AO Kaspersky Lab,L=Moscow,ST=Moscow,C=RU' Requested Server Name: See sk159872
Destination Port: 443
IP Protocol: 6
Action: Detect
Type: Log
Blade: HTTPS Inspection
Service: TCP/443
Product Family: Network


This occurs across half a dozen or so destination IP addresses, but the same FQDN in each case.

Testing using openssl reveals the following certificate chain, and there are no Kaspersky certificates in Checkpoint's Trusted CA list, which is fine I guess, as it does look like Kaspersky are potentially just using their own CA, which may not be publicly trusted (i.e. if it is explicitly trusted in their products that leverage these services).

Certificate chain
 0 s:/C=RU/ST=Moscow/L=Moscow/O=AO Kaspersky Lab/OU=CIWD/
   i:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA
 1 s:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA
   i:/DC=com/DC=kaspersky/DC=authenticity/CN=Kaspersky Lab Public Services Root Certification Authority
The part that is a little frustrating, is that all this traffic is originating from Check Point Harmony Endpoint clients!
So I'm curious what view others may have on this, ignore it? manually trust the CA? something else?
0 Kudos
3 Replies

(Also trusting the CA raises the whole subject of the Kaspersky situation (sk178688, sk118539, etc), but that's a whole different topic 😉 )

0 Kudos

As you have mentioned yourself, Kaspersky is a tricky subject. However, you can manually configure to trust that cert, if you are absolutely sure this is what you want/need.

0 Kudos

Hi Ben,

Yes this is a certificate originating from our usage of the Kaspersky SDK in this version of Harmony Endpoint. It has been signed like that (with Kaspersky CA) for the past few years, it is not new.

I guess the answer to your question goes back to you - what is your goal? you want to suppress those "Untrusted Certificate" logs on the GW? then you can trust it .. do you just want to know if it's "suspicious"? then no it's not suspicious.



0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events