This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Benjamin_Lamber
Participant
‎2019-03-29 09:54 AM
Jump to solution

HTTPS Inspection - Chain Errors

Hi all,

I have a gateway running 80.20 M2 and I recently enabled SSL Inspection for a small group. It is working correctly (I see our cert in the browser and no warnings), but I see some strange errors in the logs and sometimes in the browser about the "certificate chain not signed by a trusted CA".

When I look at the certificate, it seems to be missing the original CA and didn't insert our CA/cert.

For example, normal certs look like: DigicertCA-->www.CDWG.com
Inspection working: MYEnterpriseCA-->www.CDWG.com
When I see errors it looks like: www.CDWG.com

Am I missing something?

Thanks!

--Ben

2019-03-29 12_45_01-csd8-management - Remote Desktop Connection Manager v2.7.png2019-03-29 12_54_01-Certificate Viewer_ “www.cdwg.com”.png

 

3 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:14 AM
Jump to solution

Hi @Benjamin_Lamber 

the DigiCert certificate is not in R80.20 root certificate store.

So you get a certificate chain error.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:20 AM
In response to HeikoAnkenbrand
Jump to solution

Look at this sk:

sk114679 - HTTPS Bypass (with Site Category) not working for Servers with Self-Signed Certificate

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

Benjamin_Lamber
Participant
‎2019-04-01 07:37 AM
In response to HeikoAnkenbrand
Jump to solution

Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.

Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?

Thank you very much!

--Ben

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
‎2019-03-30 09:03 AM
Jump to solution

It’s impossible for a gateway to be running R80.20.M2 because that’s a Management-only release. What is the gateway actually running here? Also, is this happening consistently for specific sites or at random?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:14 AM
Jump to solution

Hi @Benjamin_Lamber 

the DigiCert certificate is not in R80.20 root certificate store.

So you get a certificate chain error.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:20 AM
In response to HeikoAnkenbrand
Jump to solution

Look at this sk:

sk114679 - HTTPS Bypass (with Site Category) not working for Servers with Self-Signed Certificate

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:25 AM
In response to HeikoAnkenbrand
Jump to solution

Here the root certificate. This certificate is not in the root certificate store.

Screenshot_20190330-180412_Chrome.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:32 AM
In response to HeikoAnkenbrand
Jump to solution

Here the intermediate certificate:

Screenshot_20190330-183202_Chrome.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:34 AM
In response to HeikoAnkenbrand
Jump to solution

And here the web server certificate:

Screenshot_20190330-182852_Chrome.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion
‎2019-03-30 10:37 AM
In response to HeikoAnkenbrand
Jump to solution

Sorry for the german names in the pictures. I write on a samsung tab s4 and I cannot change the browser to english.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Benjamin_Lamber
Participant
‎2019-04-01 07:37 AM
In response to HeikoAnkenbrand
Jump to solution

Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.

Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?

Thank you very much!

--Ben

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events