Error "Network Error (ssl_server_cert_untrusted_issuer)" when trying to access some HTTPS websites


Article ID: 167695


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Users cannot access certain HTTPS websites when SSL interception is enabled. They receive the error “Network Error (ssl_server_cert_untrusted_issuer)".


The ProxySG appliance has an internal trusted CA certificate list. If a web server has a certificate issued by a CA (Certificate Authority) that is unknown to the appliance, the appliance denies access by default.

To bypass this error, do one of the following:

Solution 1: Have the ProxySG appliance trust the CA

Use this solution only if you trust the CA. This solution also applies when users have an internal PKI server which issues certificates to internal websites. To add the CA to a trusted list, see Why is the browser showing error "Network Error (ssl_server_cert_untrusted_issuer)"?.
Solution 2: Disable SSL server certificate validation

Perform this solution using an SSL Access Layer in the Visual Policy Manager (VPM).  In the SSL Access Layer, disable the “Untrusted Issuer” while keeping the other validations intact.

  1. In the Management Console, launch the VPM.
  2. Create a new SSL Access Layer.
  3. Add a new Rule.
  4. Edit the Source to match your requirement (alternatively, select Any).
  5. Edit the Destination and add the server address, such as
  6. Right click the Action column and select Set > New > Set Server Certificate Validation.
  7. Select Ignore untrusted issuer.
  8. Select OK > OK to return to the VPM.
  9. Click Install Policy.

The equivalent policy in CPL is as follows:

<SSL> server.certificate.validate(yes) server.certificate.validate.ignore(untrusted_issuer)


Solution 3: Tunnel the traffic

By forcing the traffic into a tunnel the proxy will not perform Server certificate verification.  This is done differently if depending if the deployment is Explicit or Transparent


  1. In the Management Console, launch the VPM.
  2. Create a new Web Access Layer
  3. Add a new Rule.
  4. Edit the Source to match your requirement (alternatively, select Any).
  5. Edit the Destination and add the server address, such as
  6. Right click the Action column and select Set > Disable Protocol Detection
  7. Select OK > OK to return to the VPM.
  8. Click Install Policy.


  1. Go to Configuration > Services > Proxy Services
  2. Create a new service
  3. Set Dource as the required source ip net
  4. Set Destination as the required destination net
  5. Set the Proxy type as TCP Tunnel