Change the expired self-signed SSL certificate (keyring) used for SSL Interception on the ProxySG


Article ID: 165994


Updated On:


ProxySG Software - SGOS


Changing an expired self-signed certificate used for SSL Interception


If you want to change the certificate used for SSL Interception, please follow the steps below:

On the ProxySG:

  1. Create a new Keyring by navigating to Configuration > SSL > Keyrings, and Apply to save the changes
  2. Edit this new Keyring, and click on Create New Certificate. Enter the details and Apply to save the changes
  3. Click Edit again for the certificate, and copy the entire content in the Certificate field to the clipboard
  4.  Navigate to Configuration > SSL > CA Certificates and click Import.
  5.  Now open your Visual Policy Manager and navigate to SSL Intercept Layer
  6. Edit your Enable Interception action item, and change the Issuer Keyring to the newly created certificate.

In the Client Desktop:

  1. Take a copy of the certificate from the newly created Keyring
  2. Open a notepad and paste the content to this. Save the file as “Somename.cer”
  3. Install this certificate as a “Trusted Root Certificate Authority” by double clicking and using the install option


  • This new certificate can be then passed to your Domain Group policy Administrator to add it as “Trusted Root Certificate Authority” and push to client. This will work for IE and Chrome.
  • Since Firefox uses a different certificate cache, you will have to add the new certificate to a Firefox browser separately.