SSL Proxy might fail with " Failed to create authority key identifier extension " and " unable to get issuer keyid " after upgrading to SGOS 6.3 and above


Article ID: 166941


Updated On:


Asset Management Solution ProxySG Software - SGOS


SSL Proxy might fail after upgrading to SGOS 6.3, 6.4 and 6.5. The following are logged in the Event Log :

- Failed to create authority key identifier extension

- unable to get issuer keyid



SGOS 6.3, 6.4 and 6.5 code has been tightened to ensure that ssl.forward_proxy.issuer_keyring is indeed a CA. When SSL Proxy does a check for these extensions and finds them missing, interception fails. This does not mean that you cannot use a self-signed certificate for SSL interception.

To address the problem :

1. Create a new Certificate Signing Request (000008819)

2. Sign the CSR with your Certificate Authority

3. Import the new Certificate into your list of CA (000011775)

Note: It is important that the new certificate you are using for interception holds the following extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

 If you are using XCA ( to sign your certificate, these extensions can be found under 'Extensions --> Key Identifier'


Note:   If new Keyring was created in this process, you need to change the  SSL Proxy Issuer Keyring to the new Keyring.   This can be achieved by going to Management Console GUI - Configuration - Proxy Settings - SSL Proxy - Issuer Keyring.