After upgrading to SGOS 7.x, ProxySG does not send complete certificate chain (including root certificate) to the client when doing SSL interception.

This causes issues in an environment, where Proxy is using certificate issued by a Subordinate CA and the client has only Root CA certificate in its trusted CA store.

Due to an incomplete chain (Only including SubCA certificate) the client machine is unable to trust the certificate chain presented by ProxySG.

This article applies to SSL interception environment where CSR on proxy is signed by a Subordinate CA (SubCA) which is not trusted by client machine (SubCA certificate not present in client's trusted store) where the SubCA and Root CA are from trusted domain however SubCA certificate cannot be installed on client trusted root store.

ProxySG running 7.x version

ProxySG is using a keyring for SSL interception which is issued / signed by SubCA.

Client machine does not have SubCA certificate in trusted root CA store and it cannot be added as well.

Earlier on 6.7 it was possible to construct the chain from the CCL being referenced.

However, from version 7.2.x onwards, ProxySG does not build & send a cert chain to the client when not included in the issuer keyring.

The change in behavior is according to RFC 5246 and restricts that the Intercept keyring's cert chain should be installed as part of the keyring.

In order to make ProxySG send complete certificate chain (including SubCA and Root CA) the keyring used for SSL interception needs to be signed using the complete chain (Including Root CA).

Please refer to below article for instructions on how to sign a keyring - 

https://knowledge.broadcom.com/external/article/166338/steps-to-create-a-keyring-with-a-certifi.html