Background

An important part of HTTPS Inspection support is the validation of the server's certificates from the signing Certificate Authority (CA).

Note - When you enable the "Categorize HTTPS sites" feature, the Trusted CA list is also used.

A Security Gateway with enabled HTTPS Inspection has a built-in predefined list of Trusted CAs, based on the Microsoft updated TrustedCA list.

Updates are released based on changes in the recommended CA list.

This article describes how to:

• Perform a manual update of Trusted CAs
• Configure a Management Server to check if updates to Trusted CAs are necessary

To configure a Management Server to update the Trusted CAs automatically, follow sk173629 - How to update Trusted CAs automatically.

Performing a manual update of Trusted CAs on a Management Server

1. Download the Trusted CAs package (ZIP archive).

   Software Subscription or Active Support plan is required to download this package.

2. Upload the Trusted CAs package to the Management Server.

   On a Management Server R80 and higher:

   Show / Hide this section
   

   1. Connect with SmartConsole to Security Management Server / Domain Management Server.

   2. From the left navigation panel, click Manage & Setting.

   3. Click Blades.

   4. Below Configure HTTPs Inspection, click Configure in SmartDashboard.

   5. Click the Trusted CAs section.

   6. At the top, click Actions > select Update certificate list... > browse for and select the ZIP archive with certificates you downloaded in the previous step > click Open.

      

   7. Save the changes and close SmartDashboard.

   8. In SmartConsole, install the Access Control Policy on the Security Gateways.

   On a Management Server R77.30 and lower:

   Show / Hide this section
   

   1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

   2. Go to the Application & URL Filtering tab.

   3. Expand the Advanced section.

   4. Expand the HTTPS Inspection section.

   5. Click on the Trusted CAs section.

   6. At the top, click Actions button > select Update certificate list... > browse for and selected the ZIP archive with certificates you downloaded in the previous step > click Open.

      

   7. Install the policy on the Security Gateways.

Enabling automatic update checks for Trusted CAs on a Management Server

On a Management Server R80 and higher:

Show / Hide this section

1. Connect with SmartConsole to Security Management Server / Domain Management Server.

2. From the left navigation panel, click Manage & Setting.

3. Click Blades.

4. Below Configure HTTPs Inspection, click Configure in SmartDashboard.

5. Click the Trusted CAs section.

6. At the bottom of this page, in the Automatic Updates section, select:

   • In versions R81.10 and higher:

     Download updates automatically and notify when an update file is available for installation

     or

     Download and install updates automatically

   • In versions R80.x / R81.00:

     Notify when a Trusted CA and Blacklist update file is available for installation

     Important - This only enables the automatic check for updated Trusted CAs. You must install the update manually.

   If there is an available update, then this message appears in the Automatic Updates section with the button Install Now:

   A Trusted CA and Blacklist update has been downloaded

   Example from SmartDashboard R80.x / R81.00:

   

7. Save the changes and close SmartDashboard.

8. In SmartConsole, install the Access Control Policy on the Security Gateways.

On a Management Server R77.30 and lower:

Show / Hide this section

1. Connect with SmartDashboard to the Security Management Server / Domain Management Server.

2. Go to the Application & URL Filtering tab.

3. Expand the Advanced section.

4. Expand the HTTPS Inspection section.

5. Click the Trusted CAs section.

6. At the bottom of this page, in the Automatic Updates section, select Notify when a Trusted CA and Blacklist update file is available for installation.

   If there is an available update, then this message appears in the Automatic Updates section with the button Install Now:

   A Trusted CA and Blacklist update has been downloaded

   Example from SmartDashboard R77.30:

   

7. Click Install now.

8. Install policy on the Security Gateways.

Related Solutions:

• sk173629 - How to update Trusted CAs automatically

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.