When full SSL Interception is configured on the Proxy via Policy, the SG will be issuing the Certificate associated with that Keyring (defined in the SSL Intercept Rule in Policy) to the client when it attempts to make a secure connection over SSL (assuming the SG is intercepting that connection and the SSL Intercept Rule matches in Policy).
This example is for a Forward Proxy (not reverse proxy) deployment.
To stop the browser from issuing "Untrusted" type error messages, install that ProxySG Keyring Certificate into the Browser's trusted list.
This can be done via the following steps:
Identify the Keyring used for Interception. This can be done by browsing to "Configuration" tab > "Policy" > "Policy Files" > "View Policy" in the SG Management Console and clicking "View". A popup window appears with ALL the policy installed on the device.
Search for the string "ssl.forward_proxy.issuer_keyring"
In this example, the Keyring used in the Rule is the DEFAULT keyring.
Click "Download a ProxySG Certificate as a CA certificate"
Click on the "DEFAULT" keyring and save the certificate as ".cer" format onto the desktop or another location.
Install the Certificate into the browser.
In this example, this can be done manually on Internet Explorer, Firefox and also All browsers at the same time.
a. Internet Explorer
Tools > Internet Options > Content > Certificates > Trusted Root Certificates Authorities > Import > Next > Filename > Point to the certificate file saved earlier > Change the file types to All on the Windows Explorer screen > Next > Next > Finish
Tools > Options > Encryption > View Certificates > Authorities > Import > Point to earlier saved certificates files > Checked on the first option to "Trust this CA to identify web sites"
c. All browsers at the same time
On Microsoft Windows
Open Microsoft Management Console (Start > Run > mmc.exe)
Choose File > Add/Remove Snap-in
In the Standalone tab, choose Add
Choose the Certificates snap-in, and click Add
In the wizard, choose the Computer Account, and then choose Local Computer. Press Finish to end the wizard
Close the Add/Remove Snap-in dialog
Navigate to Certificates (Local Computer)
Choose a store to import
If there is a Root CA certificate for the company that issued the certificate, choose Trusted Root Certification Authorities
If there is a certificate for the server itself, choose Other People
Right-click the store and choose All Tasks > Import
Follow the wizard and provide the certificate file
On a Linux distribution
Place the certificate in the machine. The following commands will assume that it is located in /root/certificate.cer