Transparent SSL interception still does not work properly after replacing the expired certificate in proxySG


Article ID: 167011


Updated On:


SG-300 SG-600 SG-9000 SWG VA-100


Transparent SSL interception still does not work after replacing the expired certificate on the ProxySG. The client is either receiving old certificate from the ProxySG or the certificate path is incomplete when checking from the browser.


When a certificate in a keyring that is used to intercept the SSL traffic has expired, a new certificate needs to be obtained. If the new certificate is going to be signed by a third party CA or by the customer's public key infrastructure, the certificate needs to be:

  •  signed with authority to sign on other certificates
  •  imported to the ProxySG CA list and into the keyring. The detailed steps on how to create a certificate with such authority and how to import the certificate into the keyring and CA list can be found in 000008716.

To verify whether the certificate is authorized to sign on certificate:

  1. Double-click the certificate to view the certificate content.
  2. Click the Detail tab.
  3. Scroll down the list and look for the field called key usage.
  4. The correct certificate should have the value below

             Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

The SSL interception should work properly after importing the renewed certificate, if the above criteria above are met. Refer to 000008716 for detailed steps on how to deploy SSL interception in a transparent deployment.