Transparent SSL interception still does not work after replacing the expired certificate on the ProxySG. The client is either receiving old certificate from the ProxySG or the certificate path is incomplete when checking from the browser.
When a certificate in a keyring that is used to intercept the SSL traffic has expired, a new certificate needs to be obtained. If the new certificate is going to be signed by a third party CA or by the customer's public key infrastructure, the certificate needs to be:
To verify whether the certificate is authorized to sign on certificate:
Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)
The SSL interception should work properly after importing the renewed certificate, if the above criteria above are met. Refer to 000008716 for detailed steps on how to deploy SSL interception in a transparent deployment.