Apple apps fail when passing through the ProxySG Appliance

book

Article ID: 168649

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

IMessaging connects to a server using the certificate *.ess.apple.com which is signed by Apple Root CA. 

Apple Root CA is not a CA that common browsers trust. Moreover the ProxySG appliance does not trust it by default and will terminate the connection with a certificate warning (untrusted issuer).

 

Cause

The Signing cert for *.ess.apple.com is not trusted by the ProxySG appliance by default.

Resolution

Import the Apple Root CA into the ProxySG CA certificate list:

  1. Download the Apple Root CA (attached below). 
  2. Click Configuration > SSL > CA Certificates > Import.
  3. Open the Apple Root CA in an text editor then copy everything including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
  4. Name the cert AppleRoot then click OK.
  5. Click on CA Certificate Lists tab.
  6. Select browser-trusted and then click Edit.
  7. Select AppleRoot from the left column and click Add >> to add it to the right column.
  8. Click OK and then Apply.

Note:

An issue of this nature can also be encountered when Apple devices need to access other sites such as the following:

gsas.apple.com
*fmip.icloud.com

Attachments

Apple Root CA get_app