This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cypress
Contributor
‎2025-04-07 11:42 AM
Jump to solution

Question about sk173629 to install Trusted CAs list automatically

I have a question regarding the Trusted CAs List on a Security Gateway running HTTPS inspection.

I have encountered, in some rare cases, where a legitimate website with a legitimate CA-issued certificate will show as a Cert Error for our users.  When this happened, the logs in Logs & Monitoring would show "Untrusted Certificate."  Previously, I was fixing this by bypassing inspection for that domain.. but I have very recently come to realize the TRUE root cause is because the website's issuing CA is not present in our gateway's 'Trusted CAs' list.  Ah ha, a root cause finally found. 

So.. anyway now on to my actual questions:

1. Is it the best practice from Check Point to toggle this setting in SmartDashboard Trusted CAs to "download and install updates automatically?"  I'm assuming this is the recommendation now, but thought I would ask.

2. I have read some OLDER posts on here that after installing an updated Trusted CAs list, you still have to install policy to the gateway.  Is that still true?  (In R81.20?)  sk173629 mentions installing policy to the gateways after making the settings change, but it doesn't mention installing policy upon subsequent updates?

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2025-04-07 12:11 PM
Jump to solution

My own experience and based on answers about this from TAC:

1) Yes

2) It depends, its 50-50, but TAC told me its best to install policy anyway

Hope that helps.

Andy

Best,
Andy

View solution in original post

(1)
4 Replies
the_rock
MVP Gold
MVP Gold
‎2025-04-07 12:11 PM
Jump to solution

My own experience and based on answers about this from TAC:

1) Yes

2) It depends, its 50-50, but TAC told me its best to install policy anyway

Hope that helps.

Andy

Best,
Andy
(1)
the_rock
MVP Gold
MVP Gold
‎2025-04-07 01:01 PM
In response to the_rock
Jump to solution

@Cypress I would still double check with TAC to confirm, but thats what I know 🙂

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-04-07 05:00 PM
Jump to solution

@Cypress 

FWIW, I also have up to date R82 mgmt server in the lab that manages R81.20 cluster with ssl inspection on, so can get you updated zip file that can be uploaded for certificate list. But, just FYI, though it does work in R81.20 lab, its my "disclosure" that it may not work for you : - )

Andy

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-04-07 07:10 PM
In response to the_rock
Jump to solution

@Cypress 

Was doing some Azure labs, so figured would double check on this. So, whatever you see for download in below sk, is literally same thing I see in my R82 lab:

sk64521 - How to update the Trusted Certificate Authorities (CAs) list for HTTPS Inspection and HTTP...

There is no .zip file in R82 folder, where you would have found it in R81.20 and below, as mechanism is a bit different. I also attacxhed screenshots for reference. If you need more help, let me know.

/opt/CPshrd-R82/database/downloads/CA_BUNDLE/1.0/1.1

Best,

Andy

Best,
Andy
Preview file
96 KB
Preview file
196 KB
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events