Error: "The security certificate presented by this website was not issued by a trusted certificate authority" on ProxySG

book

Article ID: 168929

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

After SSL interception is configured on a ProxySG, browsers return the "The security certificate presented by this website was not issued by a trusted certificate authority" error.

This article DOES NOT apply to SSL interception deployments where the ProxySG's self-signed certificate is exported to all browsers on the network. 

Cause

The browsers on the network may not trust the subordinate certificate on the ProxySG since typically only the root and intermediate CA's are trusted. 

After configuring SSL interception where the ProxySG's certificate used for interception is signed by a local PKI certification authority, it is important that the ProxySG trusts all certificates in the certification path including its own subordinate certificate (local CA signed CA certificate). Without this, the ProxySG will not send the chain of trust to the client.

The ProxySG will only send the certificate in the keyring used for SSL interception and will not send the root and/or intermediate CA certificates. Unless the browser trusts the ProxySG's subordinate certificate specifically. The result will be that users will receive untrusted-issuer certificate warnings in the browser. 

Resolution

The ProxySG will need to send the certificate chain of trust to avoid this error. 

Assure the following steps are included in your SSL interception configuration. 

Note: These instructions take place after having already configured a keyring with a signed subordinate certificate.

Follow these steps in the Management Console of the ProxySG:

  1. Go to Configuration>SSL>Keyrings (For HSM configurations, go the command line interface and enter the following in enable mode: show ssl hsm-keyring <hsm-keyring-name>, copy the certificate from the console output, and skip to step 6)
  2. Select the keyring that is configured with the subordinate certificate 
  3. Click View Certificate
  4. Click PEM tab
  5. Click Copy To Clipboard
  6. Go to Configuration>SSL>CA Certificates
  7. Click Import
  8. Give the CA certificate a name (example: ProxySSLInterceptionCert)
  9. Click Paste From Clipboard
  10. Click OK
  11. Click Apply
  12. Click CA Certificate Lists tab
  13. Select the browser-trusted CCL
  14. Click Edit
  15. Select the newly imported CA certificate (example: ProxySSLInterceptionCert) from the left pane
  16. Click Add
  17. Click OK
  18. Click Apply

If you have multiple keyrings such as if you have configured HSM and you have multiple HSM-keyrings that correspond to multiple LunaSP appliances, you will need to follow the above steps for each certificate within those keyrings.