Expired or invalid gateway server certificates
Article ID: 173419
Updated On:
Products
Issue/Introduction
The end user cannot browse through the Web Isolation platform due to errors regarding invalid certificates. Those errors could include—but are not limited to—an incorrect subject or having reached expiration.
Cause
All secure traffic requires a valid server certificate, provided by the server. SSL traffic can be established only when the server certificate is valid.
NOTE: In a downstream proxy scenario that also intercepts SSL traffic, the end user’s browsers shall validate the signed server certificates.
Resolution
Ensure all gateway server certificates are valid.
You can check them by editing each gateway under System Configuration > Gateways and viewing the certificate.
If an auto-generated server certificate needs to be manually renewed, this can be achieved by toggling the corresponding Zone CA under System Configuration > Zones. Web Isolation versions 1.15+ contain an auto-regeneration feature which renews the certificates prior to expiry.
If a custom server certificate needs to be replaced, a new one can be installed under System Configuration > System Certificates and then referenced in the above configuration for each gateway.
For further information, see the Symantec Threat Isolation Platform (STIP) Guide for Administrators section on Configuring Security Policy Settings > Configuring System Certificates.
Feedback
