We have started evaluating "HTTPS lite" option as our legacy explicit proxy solution replacement and I stumbled across a challenge of flaky Trusted CA updates process.
I'm referring to these two SKs:
sk132812 - How to force an update to the HTTPS Trusted Root CA list
I have couple of questions.
Q1: where I could find info about latest available Trusted CA update? When it was released and the version itself. By some reverse engineering of two SKs above I can see that our management thinks that the latest version is 2.7 released 1st Dec 2020:
I'm not entirely sure if indeed it is the latest version as bunch of trusted Microsoft CAs are missing.
Q2: how can we interpret update status codes? "3" does not sound good to me as normally "0" or "1" would be success:
Q3: could Checkpoint publish "offline" version of updateFile.zip file in an SK for manual download in case automated way does not work. I.e. - we did not get any notification that there was a new version available until I manually fetched updateFile.zip file from management and loaded it manually using SmartDashboard
Q4: Bunch of well known CAs are still missing, see MS example below where we had to add them manually:
Just wondering if it would be smart to create some sort of collaboration so we as customers could provide feedback on "missing" CA so they get incorporated into official bundles faster? I just want to avoid constant manual chasing of trusted CAs from logs when sites cannot be categorised because root CA is not known to Checkpoint
Any other thoughts and suggestions are welcome if you have found a better way! I.e. using CCADB
