Apple apps fail when passing through the ProxySG Appliance

Article Id: 168649
Status: Published
Updated On: 03-06-2018 15:10
Legacy Id: TECH245321
Products:
ProxySG Software - SGOS
Issue/Introduction:

IMessaging connects to a server using the certificate *.ess.apple.com which is signed by Apple Root CA. 

Apple Root CA is not a CA that common browsers trust. Moreover the ProxySG appliance does not trust it by default and will terminate the connection with a certificate warning (untrusted issuer).

 

Cause:

The Signing cert for *.ess.apple.com is not trusted by the ProxySG appliance by default.

Resolution:

Import the Apple Root CA into the ProxySG CA certificate list:

  1. Download the Apple Root CA (attached below). 
  2. Click Configuration > SSL > CA Certificates > Import.
  3. Open the Apple Root CA in an text editor then copy everything including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
  4. Name the cert AppleRoot then click OK.
  5. Click on CA Certificate Lists tab.
  6. Select browser-trusted and then click Edit.
  7. Select AppleRoot from the left column and click Add >> to add it to the right column.
  8. Click OK and then Apply.

Note:

An issue of this nature can also be encountered when Apple devices need to access other sites such as the following:

gsas.apple.com
*fmip.icloud.com

insert_drive_file Apple Root CA
arrow_downward Download