When the ProxySG appliance intercepts an HTTPS connection, it terminates the client request and then initiates a new request to the OCS.
The ProxySG must have an up-to-date list of trusted CA certificates to enable the certificate validation process. The ProxySG appliance uses its built-in browser-trusted CA Certificate List (CCL) for this purpose. In previous SGOS versions, the ProxySG appliance’s list of browser-trusted CAs was only automatically updated upon SGOS upgrade and users were able to add manually trusted CA certificates.
From SGOS 6.3 the Downloadable CA List feature is available. The appliance will now automatically download an updated browser trusted list of CAs (trust_package.bctp) every seven days by default. This smart download compares the existing browser-trusted list on the appliance
to the new list only modifies CA certificates that are have been added or deleted since the last update.
To show the current settings (and some additional info, for example download error log):
10.91.22.2 - Blue Coat SG210 Series#show security trust-package
Download url: http://appliance.bluecoat.com/sgos/trust_package.bctp
Auto-update: enabled Auto-update interval: 7 days
Previous (success) install via manual
Creation time: Wednesday November 30 2011 04:08:01 UTC
CA Certificate List changes:
browser-trusted: CAs - 0 added, 0 deleted, 0 modified
image-validation install: Thursday December 15 2011 01:11:56 UTC
Downloaded at: Thursday December 15 2011 01:16:54 UTC Failed
Error status - 951
Downloaded from: http://appliance.bluecoat.com/sgos/trust_package.bctp
To change the download path:
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package download-path http://10.91.22.102/trust_package.bctp
The SG appliance can only download and install a trust_package.bctp trust package created by Blue Coat Systems, Inc.
To enable/disable the automatic download completely:
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update disable
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update enable
To change the default 7 days interval (accepted values from 1 to 30):
10.91.22.2 - Blue Coat SG210 Series#(config)security trust-package auto-update interval 15
To force a download of the CA list:
10.91.22.2 - Blue Coat SG210 Series#(config)load trust-package
Downloading from "http://10.91.22.102/trust_package.bctp"
The trust package has been successfully downloaded.
trust package successfully installed