Transparent SSL interception still does not work properly after replacing the expired certificate in proxySG

<< Back to Knowledge Search



Transparent SSL interception still does not work after replacing the expired certificate on the ProxySG. The client is either receiving old certificate from the ProxySG or the certificate path is incomplete when checking from the browser.


When a certificate in a keyring that is used to intercept the SSL traffic has expired, a new certificate needs to be obtained. If the new certificate is going to be signed by a third party CA or by the customer's public key infrastructure, the certificate needs to be:

  •  signed with authority to sign on other certificates
  •  imported to the ProxySG CA list and into the keyring. The detailed steps on how to create a certificate with such authority and how to import the certificate into the keyring and CA list can be found in 000008716.

To verify whether the certificate is authorized to sign on certificate:

  1. Double-click the certificate to view the certificate content.
  2. Click the Detail tab.
  3. Scroll down the list and look for the field called key usage.
  4. The correct certificate should have the value below

             Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

The SSL interception should work properly after importing the renewed certificate, if the above criteria above are met. Refer to 000008716 for detailed steps on how to deploy SSL interception in a transparent deployment.



Additional Information
Bug Number
InQuira Doc IdKB4395

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      SG200, SG210, SG300, SG600, SG9000, SWG VA-100
Topic      SSL / HTTPS
Article Number      000014075
Was this helpful?
Previous MonthNext Month