The SSL Visibility Appliance verifies the validity of server certificate chains before resigning them. This validation process can be used in policy to resign invalid certificates with a CA that clients do not trust, which allows the appliance to decrypt the session but preserve the certificate status.
In order to validate a server certificate chain, the SSL Visibility Appliance must be able to completely rebuild the chain from the server certificate to the root CA. To rebuild the chain, the appliance must be able to access all certificates in the chain as follows:
There may be cases where an intermediate or root CA is not found in the SSL Visibility Appliance External Certificate Authorities list, which causes "Invalid Issuer certificate status" to be present.
This is a result of the external CA list not being updated automatically. At the moment it is only updated periodically and manually. In the interim, if the CA is from a well known CA and is trusted by major browsers, it can be added to the external CA list by importing the PEM file to the all-external-certificate-authorities list.