The original SSL interception root certificate used by the Cloud Secure Web Gateway (formerly known as WSS) expired September 5, 2021. Clients that were not updated will experience certificate validation errors which will disrupt access to TLS/SSL encrypted content. A Cloud SWG client includes any device that forwards traffic to Cloud SWG. The new certificate is valid until September 5, 2036.
Installing WSS Agent v7.1.1 or newer automatically installs the new certificate. Alternatively, the replacement certificate is available for download on the Cloud SWG portal. Both old and new certificates may coexist indefinitely. However, per certificate management best practices, we strongly recommend removing the expired certificate as soon as it is replaced with the new certificate.
Q: Why were the Cloud SWG certificates updated?
A: The expiration date for the original SSL root certificate utilized by Cloud SWG for SSL interception expired on September 5, 2021. The replacement root certificate expires on September 5, 2036, providing an additional 15 years of life. The private key and other aspects remain unchanged, allowing for an in-place replacement.
Q: What specifically changed in the certificate?
A: The only change between the old and new certificates is the expiration date.
Q: When does the old SSL Root certificate expire?
A: The original Cloud SWG root certificate expired on September 5, 2021. The new certificate expires on September 5, 2036.
Q: What is the recovery process for end-points not updated before September 5th, 2021?
A: Updating the client's Cloud SWG root certificate will fully resolve the issue.
Q: When will the new SSL Root certificate be available to download from the Cloud SWG Portal?
A: The updated Cloud SWG root certificate has been available for download in the Cloud SWG Portal since October 12, 2020. In addition, WSS Agent v7.1.1 (and newer) ships with the new certificate. Therefore, any device running WSS Agent v7.1.1, or newer, should already have the new certificate.
Q: Where can I download the new certificate?
A: After logging into the Cloud SWG Portal navigate to Policy > TLS/SSL Interception > expand the TLS/SSL Interception Certificate section > click the Download button.
Q: How do I update the certificate on clients using WSS Agent?
A: Updating to WSS Agent 7.1.1, or newer, will perform an automatic update of the certificate on the client.
Q: How do I update the certificate on clients that don't use WSS Agent v7.x?
A: Basic certificate distribution instructions are available at Distribute Cloud SWG Root Cert to Endpoints. Alternatively, various 3rd party certificate management tools can be used per the vendor's instructions.
Q: How do I update the certificate on endpoints using SEP to connect to Cloud SWG?
A: The new certificate was distributed by LiveUpdate in September 2020. In addition, SEP 14.3 RU1 and later include the new certificate as part of the software installation. We recommend verifying the presence of the new certificate and then removing the old certificate.
Q: How do I update the certificate on my on-prem ProxySG/ASG/ISG used for proxy-forwarding to Cloud SWG?
A: Please complete the steps documented at Configure Symantec Appliance Proxy Forwarding.
Q: Why is a pre-v7.1 WSS Agent (or Unified Agent) displaying "Cloud SWG SSL intercept certificate was NOT found” in the user-interface and logs after removing the old certificate?
A: Versions of WSS Agent prior to version 7.1.1 (and all versions of Unified Agent) perform a check for the previous SSL intercept certificate and display a warning if it is not installed. This warning can safely be ignored after the new certificate has been installed.
Q: What communications have been sent so far regarding this change?
A: Communications that have already been sent or posted:
Q: Does the new SSL Intercept certificate impact CASB Gateway deployments?
A: Yes, the Cloud SWG root certificate is also used for CASB Gateway traffic. Customers that have deployed before October 2020, utilizing only Proxy-Forwarding or Explicit Proxy for directing traffic to CASB must update their proxies and endpoint certificate stores as documented.