After SSL interception is configured on a ProxySG, browsers return the "The security certificate presented by this website was not issued by a trusted certificate authority" error.

This article DOES NOT apply to SSL interception deployments where the ProxySG's self-signed certificate is exported to all browsers on the network. Instead, this article applies to SSL interception deployments where a Certificate Signing Request (CSR) is created on the SG and exported to be signed by a local CA.

The browsers on the network may not trust the subordinate certificate on the ProxySG since typically only the root and intermediate CA's are trusted. 

After configuring SSL interception where the ProxySG's certificate used for interception is signed by a local PKI certification authority, it is important that the ProxySG trusts all certificates in the certification path including its own subordinate certificate (local CA signed CA certificate). Without this, the ProxySG will not send the chain of trust to the client.

The ProxySG will only send the certificate in the keyring used for SSL interception and will not send the root and/or intermediate CA certificates. Unless the browser trusts the ProxySG's subordinate certificate specifically. The result will be that users will receive untrusted-issuer certificate warnings in the browser. 

The ProxySG will need to send the certificate chain of trust to avoid this error. 

Assure the following steps are included in your SSL interception configuration. 

Note: These instructions take place after having already configured a keyring with a signed subordinate certificate.

Follow these steps in the Management Console of the ProxySG:

1. Go to Configuration>SSL>Keyrings (For HSM configurations, go the command line interface and enter the following in enable mode: show ssl hsm-keyring <hsm-keyring-name>, copy the certificate from the console output, and skip to step 6)
2. Select the keyring that is configured with the subordinate certificate 
3. Click View Certificate
4. Click PEM tab
5. Click Copy To Clipboard
6. Go to Configuration>SSL>CA Certificates
7. Click Import
8. Give the CA certificate a name (example: ProxySSLInterceptionCert)
9. Click Paste From Clipboard
10. Click OK
11. Click Apply
12. Click CA Certificate Lists tab
13. Select the browser-trusted CCL
14. Click Edit
15. Select the newly imported CA certificate (example: ProxySSLInterceptionCert) from the left pane
16. Click Add
17. Click OK
18. Click Apply

If you have multiple keyrings such as if you have configured HSM and you have multiple HSM-keyrings that correspond to multiple LunaSP appliances, you will need to follow the above steps for each certificate within those keyrings.