When accessing HTTPS site, the browser displays an exception mentioning that the certificate is invalid

book

Article ID: 167399

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

When accessing HTTPS site, the browser displays an exception mentioning that the certificate is invalid

Resolution

The ProxySG will return an exception if the certificate that the Origin Content Server (OCS) presented is not valid. It could be because of the expiration date, the name not matching the URL, the fact that the certificate is self-signed, or that there is an intermediate Certificate Authority (CA) missing in the chain. Basically, the certificate doesn't appear to be valid or cannot be validated.

Generally speaking, it is best to Deny Access to those web sites because it could mean that there is a "man in the middle" which means the ProxySG is not connecting directly to the server, and the privacy of the connection could be compromised.

 

If absolutely necessary, Certificate Validation can be disabled. We strongly recommend disabling Certificate Validation for that specific domain and not to completely disable Certificate Validation.

 

To disable Server Certificate Validation for a particular URL:

Go to the Management Console > Configuration tab > Policy > Policy Files > Install Local File from: - Text Editor / Install button

Copy and paste the following Content Policy Language (CPL) code and replace www.mysecuresite.com with the real domain name:

<SSL>
   url.domain=www.mysecuresite.com server.certificate.validate(no)

This can also be accomplished via the Visual Policy Manager (VPM) by setting up SSL Access Layer with a specific Source and Server Certificate Validation Action.