This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jberg712
Collaborator
‎2024-08-22 01:49 PM

HTTPS Inspection Broken Certificate Chain on websites

I wanted to find out if other people have this issue.  We occasionally run into websites that display untrusted certificate errors when in fact these sites do have trusted certificate.  A detect log indicates that the Certificate Chain is not signed by a Trusted CA, which is NOT TRUE.  It is signed, but when I run the test with www.ssllabs.com, they state the website has a broken chain.  It's a certificate from a valid CA, just whoever installed the certificate on these sites, may not know how to install them properly to include the full chain.  The sites i'm actually speaking of that we've had the most trouble with are 'usda.gov' sites.  The most current one is 'usdalinc.sc.egov.usda.gov'.  It seems like what SOMETIMES fixes this is adding the server certificate into the trusted CA.  OR i just have to do a bypass which I'd rather not do.  

Is there anything or any other option that corrects this issue?  That can leave things to where they're inspected, but not indicate the site is untrusted just because of a broken chain on their end?  I just want to get other people's take on what they do for this particular scenario.  

0 Kudos
7 Replies
CaseyB
Advisor
‎2024-08-22 02:01 PM

I am running R81.10 JHF 150 with HTTPS inspection, the website you provided is working fine for me with no certificate issues.

Are you automatically downloading and updating your CA certs?

HTTPS_CertUpdate.png

Is your Trusted CA drop-down list empty? (it should be)

TrustedCAList.png

0 Kudos
jberg712
Collaborator
‎2024-08-22 02:04 PM
In response to CaseyB

We are running R81.20 JHF 79.  We are set to download and update the Trusted CAs automatically.  

The Add CA list does have some certificates in it.  We did run a cpm_doc and I saw where some CAs were listed, but I don't know how to clean those up.  How do we remove those?  Or what do we do with those?  Our list under Add shows 14 objects out of 497.

0 Kudos
CaseyB
Advisor
‎2024-08-22 02:43 PM
In response to jberg712

If you only have 14 items in the list, I would just click on them to manually add and then do a publish / install.

Not sure with regards to the cpm_doc.

0 Kudos
jberg712
Collaborator
‎2024-08-28 01:29 PM
In response to CaseyB

Let me ask this.  What sort of issues are there with Certificates being in the drop down list under 'Add'.  The reason why they are there is because most of them are expired and some were user added certificates to 3rd parties that we no longer use.  So, when I removed them from the big list of Trusted CAs, I'm guessing they ended up there.  I don't really need those certificates/CAs anymore.  If they're in that list, even though they've expired/no longer in use, what harm or issue does it create?

0 Kudos
Alex-
Leader Leader
Leader
‎2024-08-28 10:23 PM
In response to jberg712

I recall an SK, I believe the HTTPS Inspection Best Practices, stating that adding the CA manually in the list is the way to go, I used to do this from time to time for specific sites from a tool like ssllabs, but hadn't seen this issue recently.

You're correct and your expired certificates won't be used anyway so you can leave them out of the main list.

0 Kudos
CaseyB
Advisor
‎2024-08-29 12:30 PM
In response to jberg712

The only issue with certificates being in the drop-down list is, if you browse to a website using that specific certificate in the drop-down list, then you will get an error message while using HTTPS inspection as it is not trusted.

In the case of your specific scenario, the website is using "Entrust Certification Authority - L1K" & "Entrust Root Certification Authority - G2", so those should not be in the drop-down list, if they are, please add them.

0 Kudos
the_rock
Legend
Legend
‎2024-08-23 08:53 AM
In response to jberg712

I have ssl inspection lab on same versions, just tested those sites, no issues.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events