This article answers Frequently Asked Questions about the new Cato certificate.
A default root certificate is a trusted digital certificate used to establish secure communications over networks, especially on the web. The certificate is used to:
-
Authentication: Root certificates establish the authenticity of websites, services, and software
-
Encryption: They are used to encrypt data exchanged over the internet
-
Digital Signatures: Root certificates verify the authenticity of software or updates distributed over the internet
The Cato root certificate should be installed on any device:
-
With the Cato Client installed
-
That you want to be inspected by TLS inspection
The Cato 2015 root certificate will expire on October 29, 2025
The Cato 2024 root certificate is valid from March 5, 2024 and expires on March 3, 2034
Not replacing the Cato certificate can cause operational disruption, increase security risk, and cause trust issues. The most common issue is an inability to access HTTPS websites.
Without a valid certificate on their device, users receive a Your connection is not private error message when trying to access an HTTPS website.
No, there is no impact if you use your own private certificate authority. The impact is for customers that use the Cato root certificate.
Cato is not automatically activating the new certificate. You can activate the new certificate from the Certificate Management page:
-
From the navigation menu, click Security > Certificate Management.
-
Click the three dots next to the new certificate.
-
Click Activate.
-
In the Activate Certificate pop up, click OK.
The new certificate is activated.
The 2015 certificate is still available until it expires.
These are the details for the certificates:
-
2015 Default Cato Certificate with the Common Name (CN) Cato Networks CA
-
2024 Default Cato Certificate with the CN Cato Networks Root CA
The way the certificate is activated depends on the device Operating System and the Cato Client version. You can view the Client version used on all devices in your account from the Remote User Dashboard.
Devices running the Cato Windows Client version 5.11 and higher support the new and old certificates. To activate the new certificate, upgrade to this version and activate the certificate in the CMA. After the new certificate is activated in the CMA, no additional action is required for devices with these Client versions.
For lower Client versions, the certificate should be distributed to the device with an MDM or installed manually. For more information, see Distributing and Installing Device Certificates.
New installations of Cato macOS Client version 5.7 and higher support both the old and new certificates. To activate the new certificate, upgrade to this version and activate the certificate in the CMA. After the new certificate is activated in the CMA, no additional action is required for devices with these Client versions.
For devices that upgraded the Client from a lower version to version 5.7 and higher, or for lower Client versions, the certificate should be distributed to the device with an MDM or installed manually. For more information, see Distributing and Installing Device Certificates.
The certificate should be distributed to the device with an MDM or installed manually. For more information, see Distributing and Installing Device Certificates.
You can download a PEM or DER version of the new certificate. To download the certificate:
-
From the navigation menu, click Security > Certificate Management.
-
Click the three dots next to the new certificate.
-
Choose the certificate format you want to download.
You can also download the new certificate from the Client download portal.
After you activate the 2024 certificate, the 2015 certificate is still visible on the Security > Certificate Management page with the status Ready for activation. After October 29, 2025 the status will be Expired.
After activating the 2024 certificate, there may be errors on devices that are still using the 2015 certificate.
5 comments
When enabling a new certificate on the Certificate Management page, is it correct to understand that the Issuer CN of the server certificate during TLS inspection changes to the following values?
Before enabling: Cato Networks CA
After enabling: Cato Networks Root CA
Additionally, is it correct to understand that enabling the new Cato certificate before installing it on client PCs may result in errors in establishing secure HTTPS connections?
Naoki Kimura - Thanks for the great questions!
I updated the article to include this information
1. What is the flow of Cert usage in TLS inspection ? After enabling a new certificate in CMA, it immediately starts looking for the new certificate in all the client machines for usage ?
2. If the user machine is not having the NEW Cato 2024 Root Certificate present, it instantly triggers the cert error HTTPS access issues ?
3. How do Admins can easily confirm the presence of NEW Cato 2024 Root Certificate in all the client machines in the infra ?
4. Is there any easy way that Cato client can pull the details and verify the presence of NEW Cato 2024 Root Certificate in client machines and populate in CMA for Admin's verification to confirm all machines have it before activating the NEW Cato 2024 Root Certificate in CMA.?
5. What is the Best practice to do this Certificate activation from old to new one without any impact, preferably not under a big-bang Change. How to implement this in batch-wise.
6. Disabling TLS inspection temporarily for all SDP users shall minimize or nullify the impact that may cause due to the Cert renewal process ?
Hi CR Krishna Kumar,
Please see answers to your questions below:
how do i prevent any errors happening?
Please sign in to leave a comment.