After dealing with some certificate validation issues recently (resolved via sk64521 / sk173629 - slightly frustrating this isn't automatic by default), almost all of the certificate validation errors are gone.
The last remaining validation error is for the FQDN ds.kaspersky.com, which logs as follows (identifying & irrelevant info snipped out):
HTTPS Validation: Untrusted Certificate
Description: Certificate DN: 'CN=ds.kaspersky.com,OU=CIWD,O=AO Kaspersky Lab,L=Moscow,ST=Moscow,C=RU' Requested Server Name: ds.kaspersky.com. See sk159872
Destination Port: 443
IP Protocol: 6
Blade: HTTPS Inspection
Product Family: Network
This occurs across half a dozen or so destination IP addresses, but the same FQDN in each case.
Testing using openssl reveals the following certificate chain, and there are no Kaspersky certificates in Checkpoint's Trusted CA list, which is fine I guess, as it does look like Kaspersky are potentially just using their own CA, which may not be publicly trusted (i.e. if it is explicitly trusted in their products that leverage these services).
0 s:/C=RU/ST=Moscow/L=Moscow/O=AO Kaspersky Lab/OU=CIWD/CN=ds.kaspersky.com
i:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA
1 s:/C=RU/O=Kaspersky Lab/CN=Kaspersky Lab Public Services TLS CA
i:/DC=com/DC=kaspersky/DC=authenticity/CN=Kaspersky Lab Public Services Root Certification Authority
The part that is a little frustrating, is that all this traffic is originating from Check Point Harmony Endpoint clients!
So I'm curious what view others may have on this, ignore it? manually trust the CA? something else?