Support Center > Search Results > SecureKnowledge Details
How to update the Trusted Certificate Authorities (CAs) list for HTTPS Inspection and HTTPS Categorization Technical Level
Solution

Background

An important part of HTTPS Inspection support is the validation of the server's certificates from the signing Certificate Authority (CA).

Note - When you enable the "Categorize HTTPS sites" feature, the Trusted CA list is also used.

A Security Gateway with enabled HTTPS Inspection has a built-in predefined list of Trusted CAs, based on the Microsoft updated TrustedCA list.

Updates are released based on changes in the recommended CA list.

This article describes how to:

  • Perform a manual update of Trusted CAs
  • Configure a Management Server to check if updates to Trusted CAs are necessary

To configure a Management Server to update the Trusted CAs automatically, follow sk173629 - How to update Trusted CAs automatically.

Performing a manual update of Trusted CAs on a Management Server

  1. Download the Trusted CAs package.

    Software Subscription or Active Support plan is required to download this package.

  2. Upload the Trusted CAs package to the Management Server.

    On a Management Server R80 and higher:

    Show / Hide this section
    1. Connect with SmartConsole to Security Management Server / Domain Management Server.

    2. From the left navigation panel, click Manage & Setting.

    3. Click Blades.

    4. Below Configure HTTPs Inspection, click Configure in SmartDashboard.

    5. Click the Trusted CAs section.

    6. At the top, click Actions > select Update certificate list... > browse for and select the ZIP file with certificates > click Open.

    7. Save the changes and close SmartDashboard.

    8. In SmartConsole, install the Access Control Policy on the Security Gateways.

    On a Management Server R77.30 and lower:

    Show / Hide this section
    1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

    2. Go to the Application & URL Filtering tab.

    3. Expand the Advanced section.

    4. Expand the HTTPS Inspection section.

    5. Click on the Trusted CAs section.

    6. At the top, click Actions button > select Update certificate list... > browse for and selected the ZIP file with certificates > click Open.

    7. Install policy on the Security Gateways.

Enabling automatic update checks for Trusted CAs on a Management Server

On a Management Server R80 and higher:

Show / Hide this section
  1. Connect with SmartConsole to Security Management Server / Domain Management Server.

  2. From the left navigation panel, click Manage & Setting.

  3. Click Blades.

  4. Below Configure HTTPs Inspection, click Configure in SmartDashboard.

  5. Click the Trusted CAs section.

  6. At the bottom of this page, in the Automatic Updates section, select:

    • In versions R81.10 and higher:

      Download updates automatically and notify when an update file is available for installation

      or

      Download and install updates automatically

    • In versions R80.x / R81.00:

      Notify when a Trusted CA and Blacklist update file is available for installation

      Important - This only enables the automatic check for updated Trusted CAs. You must install the update manually.

    If there is an available update, then this message appears:

    A Trusted CA and Blacklist update has been downloaded

  7. Save the changes and close SmartDashboard.

  8. In SmartConsole, install the Access Control Policy on the Security Gateways.

On a Management Server R77.30 and lower:

Show / Hide this section
  1. Connect with SmartDashboard to the Security Management Server / Domain Management Server.

  2. Go to the Application & URL Filtering tab.

  3. Expand the Advanced section.

  4. Expand the HTTPS Inspection section.

  5. Click the Trusted CAs section.

  6. At the bottom of this page, in the Automatic Updates section, select Notify when a Trusted CA and Blacklist update file is available for installation.

    If there is an available update, then this message appears:
    "A Trusted CA and Blacklist update has been downloaded"

  7. Click Install now.

  8. Install policy on the Security Gateways.

Related Solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment