# How To: Compare Between the Gateway's Certificate and the Upstream Certificate

The issue related to traffic validation between the gateway certificate and the upstream certificate. Usually, it is reflected by an asset not working via Android but is working through iOS and web browsers.

### First Option

1. **Surf** to the protected asset via Chrome browser.
2. Click on the **lock icon** → **Certificate is valid** (to see the full certificate).
3. Move to the **Details** **tab** → choose the lowest hierarchy and click **Export**. Save the file on the local machine.\
   ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FrO4btsNchimvd5xhOH9h%2Fimage.png?alt=media\&token=09c96599-85db-4986-891d-cec02eb27750)
4. **Login** with SSH access to the AppSec Gateway machine
5. **Browse** the /etc/cp/rpmanager/manualCerts and get the private key file, **save** it locally in the same folder as the file from section 3.
6. **Run** both files with CertVerify according to the manual: [Store Certificates on Gateway - CloudGuard AppSec (checkpoint.com)](https://appsec-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway)
7. **Place** the exported .pkg file under /etc/certs
8. **Login** to the Infinity Portal and click **Enforce**.

### Second Option

1. **Login** with SSH to the AppSec Gateway machine
2. **Run** `echo | openssl s_client -showcerts -servername` [`<`](http://crm.jaloma.com.mx/)`Protected URI> -connect 127.0.0.1:443  > proxy_certs.txt`
3. **Run** `echo | openssl s_client -showcerts -servername` [`<`](http://crm.jaloma.com.mx/)`Protected URI> -connect <Ppstream IP>:443  > upstream_certs.txt`
4. Check the difference between proxy\_certs.txt and upstream\_certs.txt
5. In case they are different, fix it manually:
   1. **Copy** the certs from upstream\_certs.txt file into /etc/cp/rpmanager/manualCerts/\<Cert File Name>.pem
   2. **Copy** the certs from upstream\_certs.txt file into /etc/certs/\<Cert File Namee>.pem
6. **Run** `docker exec <nginx container> nginx -s reload`

{% hint style="info" %}
To avoid this from happening again after changing the certificates, we advise to use the CertVerify tool and adding the full chain to the certificate.
{% endhint %}