FAQ for the New Default Cato Certificate for TLS Inspection

This article answers Frequently Asked Questions about the new Cato certificate.

What is a default root certificate and what is it used for?

A default root certificate is a trusted digital certificate used to establish secure communications over networks, especially on the web. The certificate is used to:

  • Authentication: Root certificates establish the authenticity of websites, services, and software

  • Encryption: They are used to encrypt data exchanged over the internet

  • Digital Signatures: Root certificates verify the authenticity of software or updates distributed over the internet

Which devices in my account need to have the Cato root certificate installed?

The Cato root certificate should be installed on any device:

  • With the Cato Client installed

  • That you want to be inspected by TLS inspection

What is the expiration date of the Cato 2015 default certificate?

The Cato 2015 root certificate will expire on October 29, 2025

When is the new certificate valid from and when does it expire?

The Cato 2024 root certificate is valid from March 5, 2024 and expires on March 3, 2034

What is the impact of the certificate expiring without being replaced with new the certificate?

Not replacing the Cato certificate can cause operational disruption, increase security risk, and cause trust issues. The most common issue is an inability to access HTTPS websites.

Without a valid certificate on their device, users receive a Your connection is not private error message when trying to access an HTTPS website.

Is there any impact if we use our own private certificate authority?

No, there is no impact if you use your own private certificate authority. The impact is for customers that use the Cato root certificate.

How do I activate the new certificate in the Cato Management Application?

Cato is not automatically activating the new certificate. You can activate the new certificate from the Certificate Management page:

  1. From the navigation menu, click Security > Certificate Management.

  2. Click the three dots next to the new certificate.

  3. Click Activate.

  4. In the Activate Certificate pop up, click OK.

    The new certificate is activated.

The 2015 certificate is still available until it expires.

These are the details for the certificates and the Common Name (CN):

  • 2015 Default Cato Certificate with the CN ​Cato Networks CA​​
  • 2024 Default Cato Certificate with the CN ​Cato Networks Root CA​​

How is the new certificate activated on devices?

The way the certificate is activated depends on the device Operating System and the Cato Client version. You can view the Client version used on all devices in your account from the Remote User Dashboard.

Windows Devices

Devices running the Cato Windows Client version 5.11 and higher support the new and old certificates. To activate the new certificate, upgrade to this version and activate the certificate in the CMA. After the new certificate is activated in the CMA, no additional action is required for devices with these Client versions.

For lower Client versions, the certificate should be distributed to the device with an MDM or installed manually. For more information, see Distributing and Installing Device Certificates.

macOS Devices

New installations of Cato macOS Client version 5.7 and higher support both the old and new certificates. To activate the new certificate, upgrade to this version and activate the certificate in the CMA. After the new certificate is activated in the CMA, no additional action is required for devices with these Client versions.

For devices that upgraded the Client from a lower version to version 5.7 and higher, or for lower Client versions, the certificate should be distributed to the device with an MDM or installed manually. For more information, see Distributing and Installing Device Certificates.

Linux, iOS, or Android Devices

The certificate should be distributed to the device with an MDM or installed manually. For more information, see Distributing and Installing Device Certificates.

Where can I download the new certificate?

You can download a PEM or DER version of the new certificate. To download the certificate:

  1. From the navigation menu, click Security > Certificate Management.

  2. Click the three dots next to the new certificate.

  3. Choose the certificate format you want to download.

You can also download the new certificate from the Client download portal.

What happens to the 2015 certificate after I activate the 2024 certificate?

After you activate the 2024 certificate, the 2015 certificate is still visible on the Security > Certificate Management page with the status Ready for activation. After October 29, 2025 the status will be Expired.

After activating the 2024 certificate, there may be errors on devices that are still using the 2015 certificate.

Was this article helpful?

1 out of 1 found this helpful

2 comments

  • Comment author
    Naoki Kimura

    When enabling a new certificate on the Certificate Management page, is it correct to understand that the Issuer CN of the server certificate during TLS inspection changes to the following values?

    Before enabling: Cato Networks CA  
    After enabling: Cato Networks Root CA  

    Additionally, is it correct to understand that enabling the new Cato certificate before installing it on client PCs may result in errors in establishing secure HTTPS connections?  
     

  • Comment author
    Yaakov Simon

    Naoki Kimura - Thanks for the great questions!

    1. These are the details for the certificates and the Common Name (CN):
      1. 2015 Default Cato Certificate with the CN ​Cato Networks CA​​
      2. 2024 Default Cato Certificate with the CN ​Cato Networks Root CA​​
    2. Yes, after activating the 2024 certificate, there may be errors on devices that are still using the 2015 certificate.

    I updated the article to include this information

Add your comment