The end user cannot browse through the Web Isolation platform due to errors regarding invalid certificates. Those errors could include - but are not limited to - an incorrect subject or having reached expiration.
All secure traffic requires a valid server and system certificates, provided by the server. SSL traffic can be established only when the server and system certificates are valid.
NOTE: In a downstream proxy scenario that also intercepts SSL traffic, the end user’s browsers shall validate the signed server certificates.
Ensure all gateway server certificates are valid.
You can check them by editing each gateway under System Configuration > Gateways and viewing the certificate.
If an auto-generated server certificate needs to be manually renewed, this can be achieved by toggling the corresponding Zone CA under System Configuration > Zones. Web Isolation versions 1.15+ contain an auto-regeneration feature which renews the certificates prior to expiry.
If a custom server certificate needs to be replaced, a new one can be installed under System Configuration > System Certificates and then referenced in the above configuration for each gateway.
We expect that the expired system SSL certificate in the customer's tenant would have also been auto-renewed, and the customer will only need to have the new certificate deployed to the clients/endpoints in their environment, while removing the old, expired certificates. For this, the customer will have to have their local support help out. See the Tech. Doc. with the URL below, as reference.
Deploy the CA Certificate File to the End Users
For further information, see Configure System Certificates.