Technical Alerts

Some Sites signed by Thawte premium server and Thawte primary root ca now give "untrusted server certificate error" since upgrade to 5.5.9.1.

Technical Alerts ID:    TFA106
Version:    5.0
Status:    Published
Published date:    06/22/2012
Updated:    06/26/2012
 

Affected products and versions

5.5.9.1

6.2.8.1 , 6.2.9.1

6.2.3.2

 Other versions may be affected.

 

 

Problem description

We are receiving reports that on certain versions of sgos that access to some sites signed by Thawte are returning "untrusted issuer" error when detect protocol is enabled.


Sites which present the following CA WORK:
Common name: thawte Primary Root CA
Organization: thawte, Inc.
Location: US
Valid from November 16, 2006 to December 30, 2020
Serial Number: 3365500879ad73e230b9e01d0d7fac91 <----------Notice the only difference is the serial number.
Signature Algorithm: sha1WithRSAEncryption
Issuer: Thawte Premium Server CA

 

Sites which present the following CA DO NOT WORK:
Common name: thawte Primary Root CA
Organization: thawte, Inc.
Location: US
Valid from November 16, 2006 to December 30, 2020
Serial Number: 5fa6be80b686c62f01ed0cabb196a105 <----------Notice the only difference is the serial number.
Signature Algorithm: sha1WithRSAEncryption
Issuer: Thawte Premium Server CA

This only happens with certs signed by Thawte.

Status

bug 175163 has been raised for this issue. If you hit this bug then please contact support and they can add the sr to the bug.

Workaround

Add the following certificate (copy and paste) to the blue coat (gui > configuration panel > ssl > CA certificates > Ca certificates tab > import. Once you have done that add the imported CA certificate to the browser-trusted (Ca certificate list tab) certificate list. That is assuming the browser trusted list is the one configured for the ssl proxy which it is by default.

 

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
 


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question