Please update built-in certifictes to include Sectigo

Hi,

Please update your built-in certificate to include Sectigo certificates also.
https://support.sectigo.com/Com_KnowledgeProductPage?c=Root_Intermediate_s&lang=

Robert

«1

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RVilhelmsen

    Looking at the documentation you linked, it looks like we already have either the UserTrust or Comodo certificates that appear to be what Sectigo's certs verify back to. I verified this on 12.5.5/12.6.2 -- if you're running an older version of fireware you'll want to upgrade to make sure you're up to date.

    -We only import certificates for proxies automatically -- if you're importing a certificate signed by them onto your firewall, you'll need to import the root and any intermediary into the firewall as "webserver/other" in order to build the chain.

    If you need any assistance with this, I'd suggest opening a support case, and one of our technicians can help.

    -James Carson
    WatchGuard Customer Support

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RVilhelmsen
    It looks like that one is signed by digicert, which the firebox does have as a trusted cert for proxies.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson
    well, it´s not on any of my boxes - had to install it today. My boxes is set to auto update certificates, but why are these certs in my trusted firebox store, if they are on yours?

  • edited November 2020

    .

  • These are not in the store

    USERTrust RSA Certification Authority
    Sectigo RSA Extended Validation Secure Server CA
    c=GB st=Greater Manchester l=Salford o=SectSectigo RSA Domain Validation Secure Server CA

    If i go to either canadagoose.com or support.sectigo.com, i will get a certificate warning when using dpi, if i do not install the above certificates.
  • edited November 2020

    If i go to either www-roedovrecentrum-dk, canadagoose-dot-com or support-sectigo.-com, i will get a certificate warning when using dpi, if i do not install these certificates.

    • USERTrust RSA Certification Authority
    • Thawte RSA CA 2018
    • Sectigo RSA EV Bundle
    • Sectigo RSA DV Bundle

    These are not in my firebox stores (12.5.5 and 12.6.2).

  • edited November 2020

    I can't get to any of those three sites either using a T40-W with 12.6.2.B631387

    Adrian from Australia

  • On my T20 running 12.6.2 U1, it has only the USERTrust RSA Certification Authority cert and I can get to canadagoose.com normally. I block Germany, so that one fails per Geolocation, and support.sectigo.com loads after I refresh the warning page, but it says it's insecure. I am going to add the other certs and test again.

    Gregg Hill

  • I just installed the certs mentioned by Robert and now the support.sectigo.com site loads without a warning. I got them here https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rfBO

    I am wondering if I also should install the other certs on that page.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Gregg, @RVilhelmsen
    Do you have automatic updates of trusted certificates turned on for this firewalls?

    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_manage_with_fsm_wsm.html
    (See the section about halfway down titled "Update Trusted CA Certificates")

    If this isn't enabled, the firewall lets you update the certs yourself. It asks when content inspection is initially configured on each firewall.

    -James Carson
    WatchGuard Customer Support

  • James,

    Yes, auto update is on, but it is not pulling the certs needed even with an up-to-date list. I have to add certs a few times a year. You just need a bigger list of trusted certs!

    Gregg Hill

  • @James_Carson

    Yes, just as @Greggmh123 all my firewalls is set to auto update certificates.
    WG needs to update certificate store with many of the new root CA and intermediate CA´s.

    Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Greggmh123 @RVilhelmsen
    I can go ahead and put that request in.

    What site(s) are you using to test this?

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    @Greggmh123 @RVilhelmsen
    I can go ahead and put that request in.

    What site(s) are you using to test this?

    Too many sites to remember over the years!

    Gregg Hill

  • @James_Carson

    The ones i mentioned above.

    /Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @RVilhelmsen I've got the Sectigo once, but https://www.tbs-certificates.co.uk/ just refuses connections to itself.

    Is it possible that this CA has gone out of business?

    -James Carson
    WatchGuard Customer Support

  • @James_Carson said:
    @RVilhelmsen I've got the Sectigo once, but https://www.tbs-certificates.co.uk/ just refuses connections to itself.

    Is it possible that this CA has gone out of business?

    My guess is that they are still in business because the certs get A+ ratings: https://www.ssllabs.com/ssltest/analyze.html?d=www.tbs-certificates.co.uk and the web site loads when DPI is off.

    Gregg Hill

  • edited December 2020

    it also loads with DPI when the CA certificate is installed

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @RVilhelmsen It looks like their website was just down yesterday.

    -tbs-certificates appears to just resell certs signed by other CAs. The one on their site is signed by GlobalSign. They appear to resell Thawte, Geotrust, Sectigo, and Digicert certificates. In order to help here, I really need to know what site you're running into an issue with the proxy on so I can investigate what root cert is being presented by that site.

    I've made the request to update Sectigo's certs.

    -James Carson
    WatchGuard Customer Support

  • @James_Carson

    Well, honestly i can´t remember, as there has been quite a lot of CA´s i had to install lately for dpi to work. But the most importen onces is also the Sectigo certs which is used by many sites.

    Robert

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Ok, if you're able to determine what it is, it's helpful to determine what cert needs to be fixed. Quite often sites will not present the correct cert or there will be some other issue with it. We're unable to add CAs unless we can verify they're valid and trusted. If we can't determine that, it's left to the administrators like you to determine if they're trusted.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Regarding "We're unable to add CAs unless we can verify they're valid and trusted", I have had a few over the years where you already had the root trusted but were missing their intermediate certs. I had to add the intermediate certs.

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Greg,

    The way certs for the https proxy work, if they're properly signed and presented, you really shouldn't have to import the intermediary. Generally you only need to install intermediary certs on the firewall if you're installing a certificate to use on the firewall itself.

    If you're having to install an intermediary certificate on the firewall to get outbound HTTPS traffic to work, there's something wrong with how the cert is being presented on the web server you're visiting -- installing that intermediary is basically just a band-aid to make it work.

    -James Carson
    WatchGuard Customer Support

  • Hi @James_Carson

    I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:

    c=US st=New Jersey l=Jersey City o=The USERTRUST Network cn=USERTrust RSA Certification Authority
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Extended Validation Secure Server CA
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Domain Validation Secure Server CA

    If you test support.sectigo.com and canadagoose.com from ssllabs, you will see the above certificates is not in the trust store by default yet.

    And this is for proxies - I´m not installing a new signed certificate.

    Robert

  • Hi @James_Carson

    I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:

    c=US st=New Jersey l=Jersey City o=The USERTRUST Network cn=USERTrust RSA Certification Authority
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Extended Validation Secure Server CA
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Domain Validation Secure Server CA

    If you test support.sectigo.com and canadagoose.com from ssllabs, you will see

    And this is for proxies - I´m not installing a new signed certificate.

    Robert

  • Hi @James_Carson

    I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:

    c=US st=New Jersey l=Jersey City o=The USERTRUST Network cn=USERTrust RSA Certification Authority
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Extended Validation Secure Server CA
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Domain Validation Secure Server CA

    If you test support.sectigo.com and canadagoose.com from ssllabs, you will see

    And this is for proxies - I´m not installing a new signed certificate.

    Robert

  • Hi @James_Carson

    I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:

    c=US st=New Jersey l=Jersey City o=The USERTRUST Network cn=USERTrust RSA Certification Authority
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Extended Validation Secure Server CA
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Domain Validation Secure Server CA

    If you test support.sectigo.com and canadagoose.com from ssllabs, you will see

    And this is for proxies - I´m not installing a new signed certificate.

    Robert

  • Hi @James_Carson

    I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:

    USERTrust RSA Certification Authority
    Sectigo RSA Extended Validation Secure Server Sectigo RSA Domain Validation Secure Server CA

    If you test support.sectigo.com and canadagoose.com from ssllabs, you will see

    And this is for proxies - I´m not installing a new signed certificate.

    Robert

  • Hi @James_Carson

    I´m running 12.5.5 on my T15´s and 12.6.2 on my M370´s. All the Comodo certificates is in the firebox trust store, but what missing is these:

    c=US st=New Jersey l=Jersey City o=The USERTRUST Network cn=USERTrust RSA Certification Authority
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Extended Validation Secure Server CA
    c=GB st=Greater Manchester l=Salford o=Sectigo Limited cn=Sectigo RSA Domain Validation Secure Server CA

    If you test support.sectigo.com and canadagoose.com from ssllabs, you will see

    And this is for proxies - I´m not installing a new signed certificate.

    Robert

Sign In to comment.