Expired certificate - Hongkong Post Root CA

Anyone else seeing this in the logs?

certd Certificate (subject=c=HK,o=Hongkong Post,cn=Hongkong Post Root CA 1) is expired. msg_id="4001-0004"

Looking at the certs I see;

Certificate Details
Subject name c=HK o=Hongkong Post cn=Hongkong Post Root CA 1
Subject alt name
Imported/Created Tue May 09 2023 16:06:11 GMT+0100 (British Summer Time)
Issuer c=HK o=Hongkong Post cn=Hongkong Post Root CA 1
Valid from May 15 05:13:00 2003 GMT
Valid to May 15 04:52:00 2023 GMT
Algorithm RSA
Key length 2048
Key usage Signature
Extended key usage CA Cert
Fingerprint D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58

So the message is accurate - cert has expired.

I have "Update Trusted CA for Proxies" on automatic and have pressed the button to
"Download the latest versions of the Trusted CA certificates ".

Anyone know where the certs are being pulled from? A Watchguard managed source?

T55 running 12.9.3.B679093.


  • Options

    I had a similar support case in 2021.

    From the case:

    Created By: Lyuba Ivanchova (12/1/2021 1:26 AM)

    Hello Bruce,

    I did some research and the certificates that are Certificate Authorities for Proxies only receive quarterly updates to update any missing certificates or newly updated certificates. These updates are pushed out by our engineering team which the Fireboxes will call out to and verify they have the latest list of certificates. So the certificate list may contain expired certificates for a period of time.

    If the expired certificates are still within the store, the Firebox will update against when checking for Trusted CAs. If the certificates were deleted, they would be re-added upon the next automatic update of the Trusted CAs for Proxies.

    Created By: Lyuba Ivanchova (12/2/2021 2:47 PM) | Last Modified By: Lyuba Ivanchova (12/2/2021 2:47 PM)

    Hello Bruce,

    I consulted the case with our engineering team and their advice is to delete the certificates which unfortunately is a manual process. Alternatively, you can ignore the logs or turn off logging for 'Management' but deleting the certificates is better also because of this issue discovered yesterday:

    Created By: Ryan Tait (12/7/2021 6:37 PM) | Last Modified By: Ryan Tait (12/7/2021 6:37 PM)

    Hi Bruce,

    My name is Ryan and I work with the Support Engineering team.
    The logging thing is defiantly annoying. From your preservative and many others perspectives (including me :) ), the CA's for proxies are something for WatchGuard to maintain, not the customer. Logging this over and over again does not benefit you as the user. I've opened enhancement FBX-22468 to just not log those messages anymore. If somebody does want to see the state of the CA's for proxies the Certificate Manager and WebUI show the state.

  • Options

    Thanks Bruce.

    "only receive quarterly updates "

    That does seem quite infrequent to me.......

Sign In to comment.