# How To: Compare Between the Gateway's Certificate and the Upstream Certificate

The issue related to traffic validation between the gateway certificate and the upstream certificate. Usually, it is reflected by an asset not working via Android but is working through iOS and web browsers.

### First Option

1. **Surf** to the protected asset via Chrome browser.
2. Click on the **lock icon** → **Certificate is valid** (to see the full certificate).
3. Move to the **Details** **tab** → choose the lowest hierarchy and click **Export**. Save the file on the local machine.\
   ![](https://2760087783-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FEWA4nfgNrSRL8dA6Kap7%2Fuploads%2FrO4btsNchimvd5xhOH9h%2Fimage.png?alt=media\&token=09c96599-85db-4986-891d-cec02eb27750)
4. **Login** with SSH access to the AppSec Gateway machine
5. **Browse** the /etc/cp/rpmanager/manualCerts and get the private key file, **save** it locally in the same folder as the file from section 3.
6. **Run** both files with CertVerify according to the manual: [Store Certificates on Gateway - CloudGuard AppSec (checkpoint.com)](https://appsec-doc.inext.checkpoint.com/getting-started/deploy-enforcement-point/gateway-virtual-machine/azure/store-certificates-on-gateway)
7. **Place** the exported .pkg file under /etc/certs
8. **Login** to the Infinity Portal and click **Enforce**.

### Second Option

1. **Login** with SSH to the AppSec Gateway machine
2. **Run** `echo | openssl s_client -showcerts -servername` [`<`](http://crm.jaloma.com.mx/)`Protected URI> -connect 127.0.0.1:443  > proxy_certs.txt`
3. **Run** `echo | openssl s_client -showcerts -servername` [`<`](http://crm.jaloma.com.mx/)`Protected URI> -connect <Ppstream IP>:443  > upstream_certs.txt`
4. Check the difference between proxy\_certs.txt and upstream\_certs.txt
5. In case they are different, fix it manually:
   1. **Copy** the certs from upstream\_certs.txt file into /etc/cp/rpmanager/manualCerts/\<Cert File Name>.pem
   2. **Copy** the certs from upstream\_certs.txt file into /etc/certs/\<Cert File Namee>.pem
6. **Run** `docker exec <nginx container> nginx -s reload`

{% hint style="info" %}
To avoid this from happening again after changing the certificates, we advise to use the CertVerify tool and adding the full chain to the certificate.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://waf-doc.inext.checkpoint.com/troubleshooting/waf-gateway-virtual-machine/how-to-compare-between-the-gateways-certificate-and-the-upstream-certificate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.