search cancel

After WSS Agent is deployed to developer computers some certificate related error may appear in applications like github or eclipse


Article ID: 199464


Updated On:


Web Security Service - WSS


After the WSS Agent is deployed to computers, users in Development teams, or teams with custom applications or Linux applications ported to Windows, may encounter certificate errors as highlighted below:

PS C:\...\cobol-lsp-vscode-extension> npm ci

> node ./node_modules/vscode/bin/install

Detected VS Code engine version: ^1.30.0
Error installing vscode.d.ts: Error: unable to get local issuer certificate



WSS Agent with SSL Interception policies turned on and 3rd party applications not using schannel and the Windows certificate store.


These certificate related errors are caused by the TLS interception taking place within WSS to ensure the traffic is protected and validated per corporate policies.

The WSS Agent installed the "Cloud Services Root CA" in the Windows certificate store however some applications do not use this store directly, and as such they will not trust the TLS intercepted responses back.


The resolution will depend on the application itself, but generally speaking it will revolve around adding a version of the "Cloud Services Root CA" certificate (in der, cer or crt format) into a local CA Store (in the case of Eclipse you need to add the CA root to a Java CA store [1][2]) or switching the TLS communication mode from using OpenSSL libraries to using schannel (as is the case for git applications) [3].