After SSL interception is configured on a ProxySG, browsers return the "The security certificate presented by this website was not issued by a trusted certificate authority" error.
This article DOES NOT apply to SSL interception deployments where the ProxySG's self-signed certificate is exported to all browsers on the network. Instead, this article applies to SSL interception deployments where a Certificate Signing Request (CSR) is created on the SG and exported to be signed by a local CA.
The browsers on the network may not trust the subordinate certificate on the ProxySG since typically only the root and intermediate CA's are trusted.
After configuring SSL interception where the ProxySG's certificate used for interception is signed by a local PKI certification authority, it is important that the ProxySG trusts all certificates in the certification path including its own subordinate certificate (local CA signed CA certificate). Without this, the ProxySG will not send the chain of trust to the client.
The ProxySG will only send the certificate in the keyring used for SSL interception and will not send the root and/or intermediate CA certificates. Unless the browser trusts the ProxySG's subordinate certificate specifically. The result will be that users will receive untrusted-issuer certificate warnings in the browser.
The ProxySG will need to send the certificate chain of trust to avoid this error.
Assure the following steps are included in your SSL interception configuration.
Note: These instructions take place after having already configured a keyring with a signed subordinate certificate.
Follow these steps in the Management Console of the ProxySG:
If you have multiple keyrings such as if you have configured HSM and you have multiple HSM-keyrings that correspond to multiple LunaSP appliances, you will need to follow the above steps for each certificate within those keyrings.