SSL Proxy might fail with " Failed to create authority key identifier extension " and " unable to get issuer keyid " after upgrading to SGOS 6.3 and above

<< Back to Knowledge Search



SSL Proxy might fail after upgrading to SGOS 6.3, 6.4 and 6.5. The following are logged in the Event Log :

- Failed to create authority key identifier extension

- unable to get issuer keyid



SGOS 6.3, 6.4 and 6.5 code has been tightened to ensure that ssl.forward_proxy.issuer_keyring is indeed a CA. When SSL Proxy does a check for these extensions and finds them missing, interception fails. This does not mean that you cannot use a self-signed certificate for SSL interception.

To address the problem :

1. Create a new Certificate Signing Request (000008819)

2. Sign the CSR with your Certificate Authority

3. Import the new Certificate into your list of CA (000011775)

Note: It is important that the new certificate you are using for interception holds the following extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

 If you are using XCA ( to sign your certificate, these extensions can be found under 'Extensions --> Key Identifier'


Note:   If new Keyring was created in this process, you need to change the  SSL Proxy Issuer Keyring to the new Keyring.   This can be achieved by going to Management Console GUI - Configuration - Proxy Settings - SSL Proxy - Issuer Keyring.

Additional Information
Bug Number
InQuira Doc IdKB5051

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGOS 6.3, SGOS 6.4, SGOS 6.5
Topic      SSL / HTTPS
Article Number      000013671
Was this helpful?
Previous MonthNext Month