Reverse Proxy prompted for "Untrusted Issuer," though using well known third party CA certs

book

Article ID: 166868

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

We have configured an SSL Reverse proxy through the Bluecoat ProxySG appliance, forwarding HTTPS to the back end web server.

The Bluecoat and Web server have been installed with well know Third CA certificates (for example, digicert certificates).

If I have "validate SSL certificate" in the forwarding object configuration, the connection fails with this message: "Network Error (ssl_server_cert_untrusted_issuer)."

I have checked and the valid Digicert CA certificates are present on the appliance.

Resolution

Although it does increase security measurement if the Forward Host Server "validate SSL certificate" is enabled, it is advisable only if you are using internally created CA Certificates, using internal PKI CA root, and have the root CA certs installed in the ProxySG.

This is because, if you are using third party certificates (digicert, verisign, etc.) you will not have the CA root certificates installed in the ProxySG, as the third party certificates issuer will not share the root CA as a security measurement.

If you enable the Forward Host Server "validate SSL certificate" without using interally created CA certificates (with the internal PKI CA root), you can expect to see the "untrusted issuer" message, as the ProxySG applicance isn't able to further verify the certs with the CA root, as they are not installed in the Proxy SG's CA list.