I maintain the Root CA lists, so I hope I can give some more input.
You need to know that MWG was not able from the very beginning to use updatable lists, so early versions of MWG (<= 7.1.5) were delivered with a fixed list and a rule set that points to this list. We then decided to start with an automatically updating list, which has become default for fresh installations in the meantime. However if you upgrade from your older policy MWG will NOT automatically replace your old Root CA list with the one that automatically updates, because we have customers who explicitly want to maintain the Root CA list on their own.
The list shipped with the product initially was less complete then the updatable list we started to offer in > 7.1.5, so it was a common request to have a static dump that could be used in older MWG versions which were not able to automatically update the Root CAs, but certainly able to load an updated static list. Meanwhile this old version has vanished and has been replaced by versions which support the updatable list and using the updatable list is the best practice. I don't think there is a reason for using the rule set with the static list from the library, we will discuss if it should be removed.
In regards to your question, it is correct that the rule set does not require any changes in order to use the updatable lists. The rule set always refers to a list and does not care if the list is updatable or static. I recommend to use the provided list of Root CAs in case you do not want to maintain the list of Root CAs yourself.
The only reason why the old list is still present in the rule set is that it was abandoned and no longer requested. We will discuss if removal or update is what we want. Treat it as an orphaned entry for the moment, I cannot think of a useful reason to load it as - as you mentioned - the static list is outdated.
Thanks for clarifying, we will use McAfee Maintained List and maintain few exceptions that we have ourselves. Only other question we have is regarding a section from Online Rule Set “SSL Scanner With McAfee Maintained CA List” that states:
"Additionally if you are using SSL Scanner already, you will most likely have a root certficiate authority configured, which is trusted by your users browsers. The rule set tries to keep the root certificate, but you should ensure that you have a copy of certificate, private key and password available, in case the certificate needs to be imported again."
In what scenario can we lose device root certificate that we imported on client computers?
1 of 1 people found this helpful
unless you manually delete an existing rule set including all options there should not be a szenario where you lose it. However when you have an existing SSL Scanner rule set and import a new one there is some migration performed to solve potential conflicts between existing and new settings. As there is no warranty that these migration and conflict solving mechanims operate without any issue and due to fact that an accidental replacement of the Root CA will impact end users I recomment to backup the certificate in place.
I have seen customers who only have the private key stored on MWG. If due to an issue we don't know the certificate and key gets lost during the import and you pushed Save Changes too quickly your users will start seeing certificate warnings, which is not desirable. It should be possible for support to recover CA and Keys from older configuration files kept in the storage, but in such a situation just importing the files from disk again is probably the quickest solution.
So in the end that statement is a warning. You should always have a copy of that Root CA stored in a safe place :-)
Thanks Andre, we'll change this over weekend, just in case something goes wrong
In case something goes wrong you know where you can find us ;-)
Let me know in case you have any feedback in regards to the Root CA list. Many updates to the list are based on customer feedback, so just contact me in case of questions/concerns, etc.