Sometimes, when a user navigates to a secured Web address in a browser, the OCS requests a certificate to authenticate the user. For intercepted HTTPS connections, this would require the ProxySG appliance to provide the certificate on behalf of the client in order for the transaction to succeed. Starting in SGOS 6.3, you can upload client certificates to the ProxySG appliance for use in SSL proxy connections requiring client authentication. The ProxySG appliance stores individual client certificates and keys in individual keyrings. You can then write policy that instructs the appliance which client certificate to use, and when to use it. For convenience, you can also group client certificates and keyrings into a keylist that contains all of the client certificates for a specific purpose, such as certificates for a specific website or certificates for users in a particular group.
NOTE: The ProxySG appliance cannot select a client certificate during SSL renegotiation. Therefore, if a website requests a client certificate during SSL renegotiation, the appliance will present an empty client certificate to the site. Keep in mind that Microsoft IIS (version 6 and later) is configured to request client certificates during SSL renegotiation handshakes by default and this feature will therefore not work with an IIS server unless you disable this behavior by enabling SSLAlwaysNegoClientCert (IIS 6), using the netsh command (IIS 7) or running the enable_ssl_renegotiate_workaround.js script (IIS 7). Refer to the Microsoft documentation for details on how to use these options.
To enable SSL proxy to provide client certificates to an OCS: