Getting certificate prompt error while doing Transparent Authentication via SSL even after installing the keyring from the Proxy into the browser
Article ID: 165772
Updated On:
Products
Issue/Introduction
1. SSL authentication with Keyring from ProxySG installed in the browser, still getting the certificate prompt
2. Certificate from the ProxySG has been installed in the Root Certificate folder of the browser (IE)
Resolution
This issue occurs because the CN name in the keyring that has been installed in the browser is different from the hostname of the Virtual URL for SSL transparent authentication.
1. Create a new keyring by going to Management Console->Configuration->SSL->Keyrings and click on Create
2. Put in the name of the keyring, SSL_Proxy01 or any other up to you, click show keypair, select generate new and click OK and hit APPLY on the main screen.
3. Click on the new keyring and you have created, highlight it, and hit edit at the bottom and a box will appear.
4. In the certificate column at the top, hit create and fill up the information. Here, when filling up the information, make sure the Common Name is the same as the SSL authentication Virtual URL hostname. For example, if your SSL Authentication Virtual URL is https://proxy01:4433, then the Common Name is proxy01. This is extremely important.
5. Once this is done, use this keyring for your HTTPS Reverse proxy using port 4433 which is in the Services-Proxy Services. This is the same service that you created when creating the SSL Authentication Realm. Change the keyring from whatever you had earlier to this one that you just created. For a refresh of memory, see here /articles/Solution/SSLTransparentProxyAuthenticationusingIWA
6. Now, open the Visual Policy Manager, go to your SSL Intercept Layer, in the action where you have Enable HTTPS Interception, right click and hit edit and change the keyring to the one that you have just created.
7. Next, go and download the keyring that you have just created via here https://<proxyIP>:8082/SSL/Download_ca and save it to your Desktop of anywhere you like on your computer.
8. Install this certificate into your browser's Trusted Root Certificate and you will not get anymore certificate prompt. This certificate can also be installed to all the browsers on all computers by pushing via GPO.
Feedback
