Users accessing internal application hosted in cloud that use server certificates issues by our internal on-prem CA.

When accessing these resources, users get "untrusted issuer" messages returned instead of the site contents.

Is there a way to import our root CA into cloud tenant proxy to avoid these untrusted issuer messages?

Release :

Cloud Proxy servers can only validate certificates issues by well known CAs.

Cloud SWG cannot add on-premise intermediate or root certificates to it's trust stores. 

Two options to do the same trick exist – using VPM or CPL. Determining the problematic domains users are accessing, the admin can make changes that will ignore the cert validation warnings for these domains only. The end result is that the SSL handshake upstream completes successfully, and we can then complete the downstream connection successfully too without any errors/warnings. 

As a best practice, all public sites should have SSL certificates that have been issued by well known CAs which are trusted by Cloud SWG proxy trust stores.

If there are still security concerns with the above change, additional step may be performed:

• Enable dedicated IP address feature for this domain.
• Add ACLs on the back end to ONLY allow access from Cloud SWG dedicated IP addresses.
• Add the VPM cert changes below for only this domain.

We control the network path so that it can only come this way – any external malicious threat agent will get blocked accessing the site. 

Disabling protocol_detection for the problem domain would also address the issue. When this is performed, the Cloud Proxy does not terminate the SSL transaction, but acts as a generic TCP (layer 4) proxy instead of an application layer proxy. All TLS ciphers and protocols sent by client will arrive at OCS untouched by proxy; all certificate info from OCS will arrive at client untouched by proxy.