When browsing to some sites, an error message NET::ERR_CERT_WEAK_KEY is displayed.
The ProxySG emulates certificates with a key size less than 2048 bits.
SSL interception enabled.
Set emulated certificate key size to 2048 bits.
From the CLI, get into configure mode, then enter the SSL configuration and set the keysize:
proxy> enable proxy# conf t proxy#(config) ssl proxy#(config ssl)proxy force-emulated-cert-keysize 2048
Clear the certificate cache after applying the key size change to clear existing certificates in cache:
Reboot the MAC device to clear its cache.
Per Apple documentation certificate key sizes less than 2048 bits are no longer supported:
Since the browser on MACOS is enforcing certificate keysize of 2048 bits or more, we need to override OCS presenting certificates less than key size less than 2048 bits.
Be aware that increasing the key size will increase the overhead in SSL processes so CPU utilization may rise depending on traffic that is ssl intercepted.
Forcing key sizes of more than 2048 bits is not recommend.
By default "force-emulated-cert-keysize" is set to auto.
Prior to SGOS 6.7, "auto" is 1024 or 2048, depending on the Origin Content Server (OCS) key size. If the OCS uses a 1024 bit key size then the ProxySG emulates certificates from the OCS with a 1024 bit key size. Similarly, if the OCS uses a 2048 bit key size, then the ProxySG emulates certificates from the OCS with a 2048 bit key size.
For SGOS 6.7 and later, "auto" was expanded to include keysizes 1024, 2048, 3072, or 4096 bits, mimicking the OCS.
In order to revert change back to default, do the following:
proxy> enable proxy# conf t proxy#(config) ssl proxy#(config ssl)proxy force-emulated-cert-keysize auto