Error generating electronic signature on government portal site
search cancel

Error generating electronic signature on government portal site

book

Article ID: 381118

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG using WSS agents.

Certain users in one location are facing issues with their government portal - the main page is working and users can login successfully but when they try and sign any documents, the following error is displayed:

"Unable to reach certificate distribution point"

Disabling the WSS agent allows everything to work without issues.

Adding the domain to the SSL interception bypass list fails to address the issue, as does adding it to trusted destination. Even bypassing the domain from the proxy fails! 

Environment

Cloud SWG.

Digitally signing documents.

Cause

The signing service is not the same domain as the Government Portal and needs to be bypassed from SSL interception.

Resolution

Identify the signing service and add to the SSL interception bypass list.

Additional Information

The big clue in the above symptoms was that bypassing the government Portal domain did not address the issue; this most likely means that there is another dependent domain where communication is failing.

Getting access to the Symdiag output when the issue was reproduced allowed us to track all SSL sessions and confirm whether any failed. In our case, we identified a session to a cert signing domain (clue was in the name!) where the SSL handshake had failed on the client side. Suspecting some certificate pinning issues, the domain was added to the SSL interception bypass list.

Doing so fixed the issue.

The error reporting was a red herring as this would indicate an issue validating the CRL distribution points or AIA (OCSP) endpoints from the certificates returned.