Users accessing internet sites via Cloud SWG using WSS agents.
Certain users in one location are facing issues with their government portal - the main page is working and users can login successfully but when they try and sign any documents, the following error is displayed:
"Unable to reach certificate distribution point"
Disabling the WSS agent allows everything to work without issues.
Adding the domain to the SSL interception bypass list fails to address the issue, as does adding it to trusted destination. Even bypassing the domain from the proxy fails!
Cloud SWG.
Digitally signing documents.
The signing service is not the same domain as the Government Portal and needs to be bypassed from SSL interception.
Identify the signing service and add to the SSL interception bypass list.
The big clue in the above symptoms was that bypassing the government Portal domain did not address the issue; this most likely means that there is another dependent domain where communication is failing.
Getting access to the Symdiag output when the issue was reproduced allowed us to track all SSL sessions and confirm whether any failed. In our case, we identified a session to a cert signing domain (clue was in the name!) where the SSL handshake had failed on the client side. Suspecting some certificate pinning issues, the domain was added to the SSL interception bypass list.
Doing so fixed the issue.
The error reporting was a red herring as this would indicate an issue validating the CRL distribution points or AIA (OCSP) endpoints from the certificates returned.