Symptom:

When using specific application that use their own certificate store to verify CA, such as Python's pip or git, the system returns certificate verification errors such as this:



Cause:

Since these application do not use the Windows store, or are not Windows applications at all (Such as Linux, Unix or WSL), you need to add the Forcepoint SSL certificate that is used for the decryption to the relevant store.



Solution:

Forcepoint has several certificates that are used depending on your deployment type.

  • For local deployments, you need the WCG (proxy CA) certificate
  • For hybrid deployments, you need both the local WCG and the hybrid cloud certificate
  • For full cloud deployments using the cloud proxy or proxy connect endpoint, use the full cloud security (can be downloaded from the cloud console)
  • For full cloud deployments using the direct connect endpoint, use the locally generated certificate. Note: This certificate is generated per endpoint. You will need to do this manually on each EP with their own certificate.

After obtaining the certificate, the installation depends on the target system.



WSL (Windows Subsystem Linux - More info can be found here. This works for all apps in WSL, including git & Python's pip):

  1. Get the relevant certificate and transfer it to the WSL machine
  2. Copy the certificate to the ca store.
    For Ubuntu/Debian: /usr/local/share/ca-certificates/
    Note: File must have the .crt extension
  3. Run the following command and wait for the system to update its store:
    For Ubuntu/Debian: sudo update-ca-certificates


Python on Windows:

  1. Get the relevant certificate, open it in an editor like Notepad++ and copy the certificate Base64 string
  2. Go to the location of the ca file for Python, for x64 v3 the location is:
    C:\Program Files\Python37\Lib\site-packages\certifi
  3. Open the cacert.pem file with an editor and scroll to the end of the file
  4. Add a new line with a comment, something like
    # Forcepoint CA Certificate
  5. Paste the Base64 Forcepoint CA Certificate under it and save the file


cURL on Windows (More information can be found here):

To allow cURL for Windows to work with the endpoint, you need to update the cURL CA Bundle file with the Forcepoint local certificate and place it in the right place

  1. Get the relevant certificate, edit the file and copy the Base64 code.
  2. Download a CA certificate bundle or use an existing one
    For the official cURL bundle go here: https://curl.haxx.se/docs/caextract.html 
  3. Open the downloaded bundle file and add the local Forcepoint certificate Base64 code at the end of the file and save it
  4. Copy the file to C:\Windows\System32 and name it:
    curl-ca-bundle.crt