Transparent SSL interception still does not work properly after replacing the expired certificate in proxySG

Solutions ID:    KB4395
Version:    1.0
Status:    Published
Published date:    04/24/2011

Problem Description

Transparent SSL interception still does not work after replacing the expired certificate on the ProxySG. The client is either receiving old certificate from the ProxySG or the certificate path is incomplete when checking from the browser.


When a certificate in a keyring that is used to intercept the SSL traffic has expired, a new certificate needs to be obtained. If the new certificate is going to be signed by a third party CA or by the customer's public key infrastructure, the certificate needs to be:

  •  signed with authority to sign on other certificates
  •  imported to the ProxySG CA list and into the keyring. The detailed steps on how to create a certificate with such authority and how to import the certificate into the keyring and CA list can be found in KB3700.

To verify whether the certificate is authorized to sign on certificate:

  1. Double-click the certificate to view the certificate content.
  2. Click the Detail tab.
  3. Scroll down the list and look for the field called key usage.
  4. The correct certificate should have the value below

             Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86)

The SSL interception should work properly after importing the renewed certificate, if the above criteria above are met. Refer to KB3700 for detailed steps on how to deploy SSL interception in a transparent deployment.



Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question