Browser still shows "Network Error (ssl_server_cert_untrusted_issuer)" after a valid server certificate is imported into ProxySG

book

Article ID: 167690

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

There are times when after renewing an expired CA certificate and re-importing the valid certificate, that the "ssl_server_cert_untrusted_issuer" still persists.

 

Testing with a direct Internet connection shows that the browser does not receive the "ssl_server_cert_untrusted_issuer" error.

Resolution

By default, the SSL Proxy trusts the "browser-trusted" CCL server certificate (Management console - Configuration - Proxy Settings - SSL Proxy). The "browser-trusted" CCL consist of most ,if not all, public server certificates.

Hence, the newly imported certificate needs to be added into "browser-trusted" CCL before it will be trust by ProxySG's SSL Proxy. This can be accomplished with the following steps.

  1. From the Management console, navigate to Configuration (tab) > SSL > CA Certificate > CA Certificate Lists
  2. Select "browser-trusted," and click on Edit


     
  3. The newly imported server certificate will appear in the left pane; select it and click Add


     
  4. Click on OK, then Apply for changes to take effect.

Note: A new feature which automatically updates the CA list was introduced in SGOS 6.3. Please visit KB4826 for more information

Attachments