Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Benjamin_Lamber
Participant
Jump to solution

HTTPS Inspection - Chain Errors

Hi all,

I have a gateway running 80.20 M2 and I recently enabled SSL Inspection for a small group. It is working correctly (I see our cert in the browser and no warnings), but I see some strange errors in the logs and sometimes in the browser about the "certificate chain not signed by a trusted CA".

When I look at the certificate, it seems to be missing the original CA and didn't insert our CA/cert.

For example, normal certs look like: DigicertCA-->www.CDWG.com
Inspection working: MYEnterpriseCA-->www.CDWG.com
When I see errors it looks like: www.CDWG.com

Am I missing something?

Thanks!

--Ben

2019-03-29 12_45_01-csd8-management - Remote Desktop Connection Manager v2.7.png2019-03-29 12_54_01-Certificate Viewer_ “www.cdwg.com”.png

 

3 Solutions

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Benjamin_Lamber 

the DigiCert certificate is not in R80.20 root certificate store.

So you get a certificate chain error.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

HeikoAnkenbrand
Champion Champion
Champion
Benjamin_Lamber
Participant

Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.

Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?

Thank you very much!

--Ben

View solution in original post

8 Replies
PhoneBoy
Admin
Admin

It’s impossible for a gateway to be running R80.20.M2 because that’s a Management-only release. What is the gateway actually running here? Also, is this happening consistently for specific sites or at random?

0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Hi @Benjamin_Lamber 

the DigiCert certificate is not in R80.20 root certificate store.

So you get a certificate chain error.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

Look at this sk:

sk114679 - HTTPS Bypass (with Site Category) not working for Servers with Self-Signed Certificate

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

Here the root certificate. This certificate is not in the root certificate store.

Screenshot_20190330-180412_Chrome.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Here the intermediate certificate:

Screenshot_20190330-183202_Chrome.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
HeikoAnkenbrand
Champion Champion
Champion

And here the web server certificate:

Screenshot_20190330-182852_Chrome.jpg

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos
HeikoAnkenbrand
Champion Champion
Champion

Sorry for the german names in the pictures. I write on a samsung tab s4 and I cannot change the browser to english.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
Benjamin_Lamber
Participant

Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.

Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?

Thank you very much!

--Ben

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events