This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KeonNg
Participant
‎2024-06-20 01:40 AM

Import 2 Different Domain CA for outbound HTTPS inspection certificates

Hi All,

 

Current Environment Setup:

URL Filtering Enabled

HTTPS Inspection Enabled: Domain A (Signed by Third-Party CA) 

 

There's scenario when customer is migrating to new active directory domains, so there would some existing users still in Domain A however some users is migrated to Domain B. Previously all the user's PC is already installed the certificate under domain A that export from the gateway for HTTPs Inspection. However, when migrating the users to new domain, those new users' domain is facing certificate authority invalid issue which cause them unable to browse internet. After checked found that the browser certificate is still using old domain A, that's why the connection is not trusted as different domain. 

 

Customer concern if renew the HTTPs Inspection certificate to new Domain B, all the existing users that still in Domain A might have impact where's the gateway will not recognize for these users. However, if without renew the cert to new domain, those migrated users is impacted, and they couldn't browser internet. 

 

Hence would like to know whether is that possible to import 2 different domain CA cert to the HTTPs Inspection as so the HTTPs Inspection can be applicable to two different Activity Directory domain users. Or is there any workaround for this situation? Kindly please advised. Thank you. 

 

 

 

Best Regards,
Keon

0 Kudos
4 Replies
emmap
Employee
Employee
‎2024-06-20 01:44 AM

I believe it's a planned feature for R82 to support multiple outbound HTTPS certificates.

If you can't wait for that, you will have to look at (for example) deploying the domain B cert out to the domain A PCs as a trusted CA, and then importing that CA into the gateways. You could do it the other way around but then you have to maintain that for every new domain B PC. 

0 Kudos
KeonNg
Participant
‎2024-06-20 02:05 AM
In response to emmap

Hi emmap,

 

 

The example you mentioned is that means that we are taking the domain B cert to domain A to acknowledge as trusted CA and import to the gateway, so we have to renew the certificate, and export it out and install at all domain B PCs? Sorry that I'm not so familiar to the CA signed certificate flow. 

 

By doing this will not interrupt existing users to install again the latest certificate once renewed?

 

 

Best Regards,

Keon

0 Kudos
emmap
Employee
Employee
‎2024-06-20 02:26 AM
In response to KeonNg

If you're using the domain B CA cert, all the domain B PCs trust it already. That's the benefit of using your AD CA cert for HTTPS inspection. There's no cert renewing happening.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-06-20 12:15 PM
In response to emmap

Yes, this functionality (allowing multiple outbound CAs for HTTPS Inspection) is in the R82 Public EA:

image.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events