ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Installing SSL Intercept Layer and receive error "Keyring does not have a certificate authority's certificate"

book

Article ID: 172213

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Enable SSL Intercept on the ProxySG with an imported Certificate from a third-party Certificate Authority.

After you added the certificate to Proxy Settings > SSL Proxy (SSL interception on exception and default SSL interception certificate) and hit Apply you get the below error.

"Keyring does not have a certificate authority's certificate"

 

Cause

The imported Certificate is not a subordinate CA certificate.The SSL intercept certificate must have the Basic Constrain CA=true extension,Certificate Revocation List (CRL) and certificate sighing Key Usages.

For more information about the SSL Certificate requirement, refer to TECH243236

Resolution

A self-signed certificate on the ProxySG can also be used for SSL interception without the need to retrieve a certificate from a root CA, but would need to be installed in the browser as a Trusted Root Certification Authority.