Please update built-in certifictes to include Sectigo
Hi,
Please update your built-in certificate to include Sectigo certificates also.
https://support.sectigo.com/Com_KnowledgeProductPage?c=Root_Intermediate_s&lang=
Robert
0
Sign In to comment.
Comments
Hi @RVilhelmsen
Looking at the documentation you linked, it looks like we already have either the UserTrust or Comodo certificates that appear to be what Sectigo's certs verify back to. I verified this on 12.5.5/12.6.2 -- if you're running an older version of fireware you'll want to upgrade to make sure you're up to date.
-We only import certificates for proxies automatically -- if you're importing a certificate signed by them onto your firewall, you'll need to import the root and any intermediary into the firewall as "webserver/other" in order to build the chain.
If you need any assistance with this, I'd suggest opening a support case, and one of our technicians can help.
-James Carson
WatchGuard Customer Support
Thawte RSA CA 2018 is also missing.
https://www.tbs-certificates.co.uk/FAQ/en/Thawte_RSA_CA_2018.html
Hi @RVilhelmsen
It looks like that one is signed by digicert, which the firebox does have as a trusted cert for proxies.
-James Carson
WatchGuard Customer Support
@James_Carson
well, it´s not on any of my boxes - had to install it today. My boxes is set to auto update certificates, but why are these certs in my trusted firebox store, if they are on yours?
.
USERTrust RSA Certification Authority
Sectigo RSA Extended Validation Secure Server CA
c=GB st=Greater Manchester l=Salford o=SectSectigo RSA Domain Validation Secure Server CA
If i go to either canadagoose.com or support.sectigo.com, i will get a certificate warning when using dpi, if i do not install the above certificates.
If i go to either www-roedovrecentrum-dk, canadagoose-dot-com or support-sectigo.-com, i will get a certificate warning when using dpi, if i do not install these certificates.
These are not in my firebox stores (12.5.5 and 12.6.2).
I can't get to any of those three sites either using a T40-W with 12.6.2.B631387
Adrian from Australia
On my T20 running 12.6.2 U1, it has only the USERTrust RSA Certification Authority cert and I can get to canadagoose.com normally. I block Germany, so that one fails per Geolocation, and support.sectigo.com loads after I refresh the warning page, but it says it's insecure. I am going to add the other certs and test again.
Gregg Hill
I just installed the certs mentioned by Robert and now the support.sectigo.com site loads without a warning. I got them here https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO
I am wondering if I also should install the other certs on that page.
Gregg Hill
Hi Gregg, @RVilhelmsen
Do you have automatic updates of trusted certificates turned on for this firewalls?
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_manage_with_fsm_wsm.html
(See the section about halfway down titled "Update Trusted CA Certificates")
If this isn't enabled, the firewall lets you update the certs yourself. It asks when content inspection is initially configured on each firewall.
-James Carson
WatchGuard Customer Support
James,
Yes, auto update is on, but it is not pulling the certs needed even with an up-to-date list. I have to add certs a few times a year. You just need a bigger list of trusted certs!
Gregg Hill
@James_Carson
Yes, just as @Greggmh123 all my firewalls is set to auto update certificates.
WG needs to update certificate store with many of the new root CA and intermediate CA´s.
Robert
@Greggmh123 @RVilhelmsen
I can go ahead and put that request in.
What site(s) are you using to test this?
-James Carson
WatchGuard Customer Support
Too many sites to remember over the years!
Gregg Hill
@James_Carson
The ones i mentioned above.
/Robert
@RVilhelmsen I've got the Sectigo once, but https://www.tbs-certificates.co.uk/ just refuses connections to itself.
Is it possible that this CA has gone out of business?
-James Carson
WatchGuard Customer Support
My guess is that they are still in business because the certs get A+ ratings: https://www.ssllabs.com/ssltest/analyze.html?d=www.tbs-certificates.co.uk and the web site loads when DPI is off.
Gregg Hill
it also loads with DPI when the CA certificate is installed
Hi @RVilhelmsen It looks like their website was just down yesterday.
-tbs-certificates appears to just resell certs signed by other CAs. The one on their site is signed by GlobalSign. They appear to resell Thawte, Geotrust, Sectigo, and Digicert certificates. In order to help here, I really need to know what site you're running into an issue with the proxy on so I can investigate what root cert is being presented by that site.
I've made the request to update Sectigo's certs.
-James Carson
WatchGuard Customer Support
@James_Carson
Well, honestly i can´t remember, as there has been quite a lot of CA´s i had to install lately for dpi to work. But the most importen onces is also the Sectigo certs which is used by many sites.
Robert
Ok, if you're able to determine what it is, it's helpful to determine what cert needs to be fixed. Quite often sites will not present the correct cert or there will be some other issue with it. We're unable to add CAs unless we can verify they're valid and trusted. If we can't determine that, it's left to the administrators like you to determine if they're trusted.
Thank you,
-James Carson
WatchGuard Customer Support
Regarding "We're unable to add CAs unless we can verify they're valid and trusted", I have had a few over the years where you already had the root trusted but were missing their intermediate certs. I had to add the intermediate certs.
Gregg Hill
Hi Greg,
The way certs for the https proxy work, if they're properly signed and presented, you really shouldn't have to import the intermediary. Generally you only need to install intermediary certs on the firewall if you're installing a certificate to use on the firewall itself.
If you're having to install an intermediary certificate on the firewall to get outbound HTTPS traffic to work, there's something wrong with how the cert is being presented on the web server you're visiting -- installing that intermediary is basically just a band-aid to make it work.
-James Carson
WatchGuard Customer Support
Hi @James_Carson
I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:
USERTrust RSA Certification Authority
Sectigo RSA Extended Validation Secure Server CA
Sectigo RSA Domain Validation Secure Server CA
If you test support.sectigo.com and canadagoose.com from ssllabs, you will see
And this is for proxies - I´m not installing a new signed certificate.
Robert
@James_Carson
canadagoose.com, www-roedovrecentrum-dk, support-sectigo-com
@James_Carson
canadagoose.com
www-roedovrecentrum-dk
support-sectigo.-com
If i go to either canadagoose.com or support.sectigo.com, i will get a certificate warning when using dpi, if i do not install the above certificates.
If i go to either canadagoose.com or support.sectigo.com, i will get a certificate warning when using dpi, if i do not install the above certificates.
If i go to either canadagoose.com or support.sectigo.com, i will get a certificate warning when using dpi, if i do not install the above certificates.