Client certificate authentication error: Certificate Unknown

search cancel

Client certificate authentication error: Certificate Unknown

book

Article ID: 234473

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

A client (e.g. browser) is using a unique or self-sign certificate (client certificate) to authenticate against an origin content server (OCS).

The user is not able to access the site when the WSS Agent is enabled.

The user is able to access the site when the WSS Agent is disabled.

Error:

Environment

Web Security Service

WSS Agent

Cause

The issue was caused by the proxy SSL intercepting the traffic and breaking the private chain of trust between the client and OCS.

While the SSL proxy is configured to forward the information about the Client Certificate to the OCS. In some cases, it is required to do an SSL exemption to allow all traffic going to the OCS, so the WSS proxy does not interact with it, thereby allowing the Client Certificate to be processed.

Resolution

Add the domain/IP to your SSL Exemption list

WSS Policy

See WSS Policy Custom Shop 02—SSL Interception

Universal Policy Enforcement (UPE)

If you are using Universal Policy Enforcement, the Management Center administrator will need to update their current SSL interception policy and push the new exemption to the WSS enforcement domain.

Additional Information

If the issue continues to happen after adding the domain/IP to the SSL exemption list. Support will require the following:

Take a WSS Agent - SymDiag while reproducing the issue.
- Windows: SymDiag Application For WSS Agent on Windows
- macOS: Debugging Script for WSS Agent on Mac Systems

Feedback

thumb_up Yes

thumb_down No