Re: HTTPS Inspection and macOS 10.15 (Catalina)

PhoneBoy · ‎2019-12-16

Apple has changed the requirements regarding HTTPS server certificates in its products – Mainly Catalina 10.15 and iOS 13.
SHA1 signed certificates are no longer considered secure and servers using them will be blocked.
The default CA certificate we generate for HTTPS Inspection is SHA1 signed.
This means end users with a default HTTPS Inspection CA certificate using macOS 10.15 endpoints will encounter an untrusted certificate error message.
More details (and a solution) can be found in sk163932.

In R80.40, the default HTTPS Inspection CA certificate will be SHA256 signed.
This change will also be integrated into upcoming Jumbo Hotfixes for other R80.x releases.

Andrew_Kim · ‎2020-02-17

Do you know if the fix is going to be provided to the SMB line of appliances, namely the 700 and 1400 series?

Thanks!

PhoneBoy · ‎2020-02-18

Not aware of any specific plans.
That said, you can ask via TAC if the relevant fix can be ported to the SMB appliances.
Note you can always generate a new CA key using a procedure similar to this sk (though not directly on the SMB appliance): https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andrew_Kim · ‎2020-02-18

Thanks for the response. I'll need to reach out to TAC to see what, if anything, can be done. I also did try the fix in the SK using an R80.30 firewall but that didn't appear to change the behavior at all on the SMB device.

Are you a member of CheckMates?

HTTPS Inspection and macOS 10.15 (Catalina)