5 Replies Latest reply on Feb 11, 2014 5:03 AM by asabban

    Updated Root CA list

    msm

      Hello all,

       

      We recently had quite a few SSL/TLS protected web site throwing exceptions regarding expired certificates. As a quick workaround we manually removed expired Root CA certificates from “Default known certificate authorities” list and imported updated Root CA certificates (that published certificates for sites we had problem with). It was only during this procedure that we became aware that Root CA list included with McAfee Web Gateway is not self-updating by default (we should probably thought of that before, but in our defense most programs that store Root CA lists, keep thatm updated automatically (e.g. browsers)).

       

      After that we did a quick search on McAfee Extranet and noticed “Updated Certificate Authorities (BETA)” in “Online Rule Set Library”. Idea of now and then manually updating list that McAfee keeps updated seemed OK, until we noticed that the list was last updated in 2012. Than we noticed “SSL Scanner With McAfee Maintained CA List”. After reading through documentation this seems like a solution to our problem. What we are confused is:

      • “SSL Scanner With McAfee Maintained CA List” is also from 2012. Is our understanding correct that rule itself doesn’t need to change (so last modification date can be from 2012), but that list is updated through usual update mechanism and is currently (as of 2/2014) up to date?
      • What is recommended to customers? Why is rule set “Updated Certificate Authorities (BETA)” still available for download, and why it isn’t updated to 2013/2014 list of Root CA?

       

      Can anyone clarify this situation a bit more?

       

      Thanks, MSM

       

      Message was edited by: msm on 2/11/14 4:13:41 AM CST
        • 1. Re: Updated Root CA list
          asabban

          Hello,

           

          I maintain the Root CA lists, so I hope I can give some more input.

           

          You need to know that MWG was not able from the very beginning to use updatable lists, so early versions of MWG (<= 7.1.5) were delivered with a fixed list and a rule set  that points to this list. We then decided to start with an automatically updating list, which has become default for fresh installations in the meantime. However if you upgrade from your older policy MWG will NOT automatically replace your old Root CA list with the one that automatically updates, because we have customers who explicitly want to maintain the Root CA list on their own.

           

          The list shipped with the product initially was less complete then the updatable list we started to offer in > 7.1.5, so it was a common request to have a static dump that could be used in older MWG versions which were not able to automatically update the Root CAs, but certainly able to load an updated static list. Meanwhile this old version has vanished and has been replaced by versions which support the updatable list and using the updatable list is the best practice. I don't think there is a reason for using the rule set with the static list from the library, we will discuss if it should be removed.

           

          In regards to your question, it is correct that the rule set does not require any changes in order to use the updatable lists. The rule set always refers to a list and does not care if the list is updatable or static. I recommend to use the provided list of Root CAs in case you do not want to maintain the list of Root CAs yourself.

           

          The only reason why the old list is still present in the rule set is that it was abandoned and no longer requested. We will discuss if removal or update is what we want. Treat it as an orphaned entry for the moment, I cannot think of a useful reason to load it as - as you mentioned - the static list is outdated.

           

          Best,

          Andre

          • 2. Re: Updated Root CA list
            msm

            Hello Andre,

             

            Thanks for clarifying, we will use McAfee Maintained List and maintain few exceptions that we have ourselves. Only other question we have is regarding a section from Online Rule Set “SSL Scanner With McAfee Maintained CA List” that states:

            "Additionally if you are using SSL Scanner already, you will most likely have a root certficiate authority configured, which is trusted by your users browsers. The rule set tries to keep the root certificate, but you should ensure that you have a copy of certificate, private key and password available, in case the certificate needs to be imported again."

             

            In what scenario can we lose device root certificate that we imported on client computers?

             

            Thanks, MSM

            • 3. Re: Updated Root CA list
              asabban

              Hello,

               

              unless you manually delete an existing rule set including all options there should not be a szenario where you lose it. However when you have an existing SSL Scanner rule set and import a new one there is some migration performed to solve potential conflicts between existing and new settings. As there is no warranty that these migration and conflict solving mechanims operate without any issue and due to fact that an accidental replacement of the Root CA will impact end users I recomment to backup the certificate in place.

               

              I have seen customers who only have the private key stored on MWG. If due to an issue we don't know the certificate and key gets lost during the import and you pushed Save Changes too quickly your users will start seeing certificate warnings, which is not desirable. It should be possible for support to recover CA and Keys from older configuration files kept in the storage, but in such a situation just importing the files from disk again is probably the quickest solution.

               

              So in the end that statement is a warning. You should always have a copy of that Root CA stored in a safe place :-)

               

              Best,

              Andre

              1 of 1 people found this helpful
              • 4. Re: Updated Root CA list
                msm

                Thanks Andre, we'll change this over weekend, just in case something goes wrong

                 

                MSM

                • 5. Re: Updated Root CA list
                  asabban

                  Sure.

                   

                  In case something goes wrong you know where you can find us ;-)

                   

                  Let me know in case you have any feedback in regards to the Root CA list. Many updates to the list are based on customer feedback, so just contact me in case of questions/concerns, etc.

                   

                  Best,

                  Andre