You see the following error when updating Blue Coat WebFilter (BCWF) using the default URL that uses HTTPS. If you use HTTP, you do not see this error.

Download log:
  Blue Coat download at: 2011/04/11 18:11:53 +0000
  Downloading from https://list.bluecoat.com/bcwf/activity/download/bcwf.db
  Requesting differential update
  Fetching:
    https://list.bluecoat.com/bcwf/activity/download/bcwf.db?installed_version=311010300
      ERROR: Server certificate signed by unknown CA
  Requesting full database
  Fetching:
    https://list.bluecoat.com/bcwf/activity/download/bcwf.db
      ERROR: Server certificate signed by unknown CA
  Download failed

Install the missing CA Certificates and restart the database download:

Using openssl we can see that currently there is and Intermediate and Root Issuer for the https://lists.bluecoat.com site.

openssl s_client -showcerts -servername list.bluecoat.com -connect list.bluecoat.com:443 </dev/null
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
depth=0 C = US, ST = California, L = San Jose, O = Broadcom Inc, CN = list.bluecoat.com

1. Download both of the issuer/CA certificates.
   https://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
   https://cacerts.digicert.com/DigiCertGlobalRootCA.crt
   
2. Import the certificates into the ProxySG appliance CA Certificates (Configuration > SSL > CA Certificates))
3. Add the certificates to the browser-trusted list (CA Certificate Lists > Browser-trusted).
4. Apply the configuration changes.
5. Restart the download of the BCWF database and view the download status to make sure that the download is working properly.

Make sure that the CCL for the default 'Device Profiles' is 'browser-trusted' (Configuration > SSL > Device Profiles).