This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jberg712
Collaborator
5 hours ago

HTTPS Inspection Broken Certificate Chain on websites

I wanted to find out if other people have this issue.  We occasionally run into websites that display untrusted certificate errors when in fact these sites do have trusted certificate.  A detect log indicates that the Certificate Chain is not signed by a Trusted CA, which is NOT TRUE.  It is signed, but when I run the test with www.ssllabs.com, they state the website has a broken chain.  It's a certificate from a valid CA, just whoever installed the certificate on these sites, may not know how to install them properly to include the full chain.  The sites i'm actually speaking of that we've had the most trouble with are 'usda.gov' sites.  The most current one is 'usdalinc.sc.egov.usda.gov'.  It seems like what SOMETIMES fixes this is adding the server certificate into the trusted CA.  OR i just have to do a bypass which I'd rather not do.  

Is there anything or any other option that corrects this issue?  That can leave things to where they're inspected, but not indicate the site is untrusted just because of a broken chain on their end?  I just want to get other people's take on what they do for this particular scenario.  

0 Kudos
3 Replies
CaseyB
Advisor
5 hours ago

I am running R81.10 JHF 150 with HTTPS inspection, the website you provided is working fine for me with no certificate issues.

Are you automatically downloading and updating your CA certs?

HTTPS_CertUpdate.png

Is your Trusted CA drop-down list empty? (it should be)

TrustedCAList.png

0 Kudos
jberg712
Collaborator
5 hours ago
In response to CaseyB

We are running R81.20 JHF 79.  We are set to download and update the Trusted CAs automatically.  

The Add CA list does have some certificates in it.  We did run a cpm_doc and I saw where some CAs were listed, but I don't know how to clean those up.  How do we remove those?  Or what do we do with those?  Our list under Add shows 14 objects out of 497.

0 Kudos
CaseyB
Advisor
5 hours ago
In response to jberg712

If you only have 14 items in the list, I would just click on them to manually add and then do a publish / install.

Not sure with regards to the cpm_doc.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events