Error when downloading the Intelligence Services database: "Server certificate signed by unknown CA"

book

Article ID: 171614

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to provide an explanation and possible workarounds for the issue in which this error message prevents the proxy from downloading the Intelligence Services database:

"Server certificate signed by unknown CA"

Cause

This issue occurs when there is a device between the proxy and the destination server that is providing a certificate that the proxy does not trust by default. This can occur when there are two proxies in a chain environment.

Resolution

In order to prevent this from happening, the following procedures can be performed:

-Install the certificate from the external device into the proxy's CA certificates list and then to the browser-trusted CCL.

-Disable SSL Interception in the upstream device for this particular request, so that the certificate that the internal proxy sees is the original one.

-(If the upstream proxy is Transparent) Add the IP that resolves to the Intelligence Services database to the Static Bypass List. This assumes there is a ProxySG or ASG providing this certificate.