Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Cypress
Contributor
Jump to solution

Question about sk173629 to install Trusted CAs list automatically

I have a question regarding the Trusted CAs List on a Security Gateway running HTTPS inspection.

I have encountered, in some rare cases, where a legitimate website with a legitimate CA-issued certificate will show as a Cert Error for our users.  When this happened, the logs in Logs & Monitoring would show "Untrusted Certificate."  Previously, I was fixing this by bypassing inspection for that domain.. but I have very recently come to realize the TRUE root cause is because the website's issuing CA is not present in our gateway's 'Trusted CAs' list.  Ah ha, a root cause finally found. 

So.. anyway now on to my actual questions:

1. Is it the best practice from Check Point to toggle this setting in SmartDashboard Trusted CAs to "download and install updates automatically?"  I'm assuming this is the recommendation now, but thought I would ask.

2. I have read some OLDER posts on here that after installing an updated Trusted CAs list, you still have to install policy to the gateway.  Is that still true?  (In R81.20?)  sk173629 mentions installing policy to the gateways after making the settings change, but it doesn't mention installing policy upon subsequent updates?

 

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold

My own experience and based on answers about this from TAC:

1) Yes

2) It depends, its 50-50, but TAC told me its best to install policy anyway

Hope that helps.

Andy

View solution in original post

(1)
4 Replies
the_rock
MVP Gold
MVP Gold

My own experience and based on answers about this from TAC:

1) Yes

2) It depends, its 50-50, but TAC told me its best to install policy anyway

Hope that helps.

Andy

(1)
the_rock
MVP Gold
MVP Gold

@Cypress I would still double check with TAC to confirm, but thats what I know 🙂

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

@Cypress 

FWIW, I also have up to date R82 mgmt server in the lab that manages R81.20 cluster with ssl inspection on, so can get you updated zip file that can be uploaded for certificate list. But, just FYI, though it does work in R81.20 lab, its my "disclosure" that it may not work for you : - )

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold

@Cypress 

Was doing some Azure labs, so figured would double check on this. So, whatever you see for download in below sk, is literally same thing I see in my R82 lab:

sk64521 - How to update the Trusted Certificate Authorities (CAs) list for HTTPS Inspection and HTTP...

There is no .zip file in R82 folder, where you would have found it in R81.20 and below, as mechanism is a bit different. I also attacxhed screenshots for reference. If you need more help, let me know.

/opt/CPshrd-R82/database/downloads/CA_BUNDLE/1.0/1.1

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events