After upgrading to SGOS 7.x, Edge SWG (ProxySG) does not send the complete certificate chain to the client when SSL interception occurs.

This causes issues in an environment where Edge SWG is using a certificate issued by a Subordinate Certificate Authority (SubCA) and the client has only the Root CA certificate in its trusted Certificate Authorities store.

Due to an incomplete chain, the client machine does not trust certificate presented by Edge SWG.

This article applies to SSL interception environment where CSR on proxy is signed by a SubCA which is not trusted by client machine where the SubCA and Root CA are from trusted domain however SubCA certificate cannot be installed on client trusted root store.

Edge SWG running 7.x version

Edge SWG is using a keyring for SSL interception, which is issued/signed by SubCA.

The client machine does not have a SubCA certificate in the trusted root CA store, and it cannot be added as well.

In SGOS 6.7, it was possible to construct the chain from the CCL being referenced.

Due to a behavior change starting in SGOS 7.2.x, Edge SWG no longer builds and sends a cert chain to the client if it is not included in the issuer keyring.

This behavior change adheres to RFC 5246, which specifies that the Intercept keyring's certificate chain must be installed as an integral part of the keyring.

In order to make Edge SWG send a complete certificate chain (including SubCA and Root CA), the keyring used for SSL interception needs to be signed using the complete chain (Including Root CA).

Please refer to the article for instructions on how to Create an SSL Certificate Keyring