When full SSL Interception is configured on the Proxy via Policy, the SG will be issuing the Certificate associated with that Keyring (defined in the SSL Intercept Rule in Policy) to the client when it attempts to make a secure connection over SSL (assuming the SG is intercepting that connection and the SSL Intercept Rule matches in Policy).
This example is for a Forward Proxy (not reverse proxy) deployment.
To stop the browser from issuing "Untrusted" type error messages, install that ProxySG Keyring Certificate into the Browser's trusted list.
This can be done via the following steps:
Search for the string "ssl.forward_proxy.issuer_keyring"
In this example, the Keyring used in the Rule is the DEFAULT keyring.
Click "Download a ProxySG Certificate as a CA certificate"
Click on the "DEFAULT" keyring and save the certificate as ".cer" format onto the desktop or another location.
In this example, this can be done manually on Internet Explorer, Firefox and also All browsers at the same time.
a. Internet Explorer
Tools > Internet Options > Content > Certificates > Trusted Root Certificates Authorities > Import > Next > Filename > Point to the certificate file saved earlier > Change the file types to All on the Windows Explorer screen > Next > Next > Finish
Tools > Options > Encryption > View Certificates > Authorities > Import > Point to earlier saved certificates files > Checked on the first option to "Trust this CA to identify web sites"
c. All browsers at the same time
On Microsoft Windows
On a Linux distribution