Web Security Service Root CA update Frequently Asked Questions (FAQs)

book

Article ID: 200314

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

The SSL interception root certificate used by the Web Security Service (WSS) expires September 5, 2021, and must be updated on all WSS clients prior to expiration to avoid service disruption. Clients that are not updated on time will experience certificate validation errors which will disrupt access to TLS/SSL encrypted content. Clients can include any device that forwards traffic to WSS. The new certificate is valid until September 5, 2036.

Installing WSS Agent v7.1.1 or newer automatically installs the new certificate. Alternatively, the replacement certificate is available for download on the WSS portal. Both old and new certificates may coexist indefinitely. However, per certificate management best practices, we strongly recommend removing the expired certificate as soon as it is replaced with the new certificate.

Resolution

Frequently Asked Questions (FAQ):

Q: Why are the WSS certificates being updated?
A: The expiration date for the original SSL root certificate utilized by WSS for SSL interception is set to expire on September 5, 2021.  The replacement root certificate expires on September 5, 2036, providing an additional 15 years of life. The private key and other aspects remain unchanged, allowing for an in-place replacement.

Q: What specifically changed in the certificate?
A: The only change between the old and new certificates is the expiration date.

Q: When does the old SSL Root certificate expire?
A: The original WSS root certificate expires on September 5, 2021. The new certificate expires on September 5, 2036.

Q: What is the recovery process for end-points not updated before September 5th, 2021?
A: Updating the client's WSS root certificate will fully resolve the issue.

Q: When will the new SSL Root certificate be available to download from the WSS Portal?
A: The updated WSS root certificate has been available for download in the WSS Portal since October 12, 2020. In addition, WSS Agent v7.1.1 (and newer) ships with the new certificate. Therefore, any device running WSS Agent v7.1.1, or newer, should already have the new certificate.

Q: Where can I download the new certificate?
A: After logging into the WSS Portal navigate to Policy > TLS/SSL Interception > expand the TLS/SSL Interception Certificate section > click the Download button.

Q: How do I update the certificate on clients using WSS Agent?
A: Updating to WSS Agent 7.1.1, or newer, will perform an automatic update of the certificate on the client.

Q: How do I update the certificate on clients that don't use WSS Agent v7.x?
A: Basic certificate distribution instructions are available at Distribute WSS Root Cert to Endpoints. Alternatively, various 3rd party certificate management tools can be used per the vendor's instructions.

Q: How do I update the certificate on endpoints using SEP to connect to WSS?
A: The new certificate was distributed by LiveUpdate in September 2020. In addition, SEP 14.3 RU1 and later include the new certificate as part of the software installation. We recommend verifying the presence of the new certificate and then removing the old certificate.

Q: How do I update the certificate on my on-prem ProxySG/ASG/ISG used for proxy-forwarding to WSS?
A: Please complete the steps documented at Configure Symantec Appliance Proxy Forwarding.

Q: Why is a pre-v7.1 WSS Agent (or Unified Agent) displaying "WSS SSL intercept certificate was NOT found” in the user-interface and logs after removing the old certificate?
A: Versions of WSS Agent prior to version 7.1.1 (and all versions of Unified Agent) perform a check for the previous SSL intercept certificate and display a warning if it is not installed. This warning can safely be ignored after the new certificate has been installed.

Q: What communications have been sent so far regarding this change?
A: Communications that have already been sent or posted:

  • Email: Initial Announcement - September 25, 2020
  • Status Page Post: Initial Announcement - September 25, 2020
  • Email: Reminder - March 8, 2021
  • Email: Reminder - June 2, 2021
  • Email: Reminder - July 6, 2021
  • Portal Modal Alert - July 15, 2021
  • Email: Reminder - July 26, 2021
  • Email: Reminder - August 30, 2021
  • Status Page Post: Critical Reminder - August 30, 2021

Q: Does the new SSL Intercept certificate impact CASB Gateway deployments?
A: Yes, the WSS root certificate is also used for CASB Gateway traffic. Customers that have deployed before October 2020, utilizing only Proxy-Forwarding or Explicit Proxy for directing traffic to CASB must update their proxies and endpoint certificate stores as documented.