There are times when after renewing an expired CA certificate and re-importing the valid certificate, that the "ssl_server_cert_untrusted_issuer" still persists.
Testing with a direct Internet connection shows that the browser does not receive the "ssl_server_cert_untrusted_issuer" error.
By default, the SSL Proxy trusts the "browser-trusted" CCL server certificate (Management console - Configuration - Proxy Settings - SSL Proxy). The "browser-trusted" CCL consist of most ,if not all, public server certificates.
Hence, the newly imported certificate needs to be added into "browser-trusted" CCL before it will be trust by ProxySG's SSL Proxy. This can be accomplished with the following steps.
From the Management console, navigate to Configuration (tab) > SSL > CA Certificate > CA Certificate Lists
Select "browser-trusted," and click on Edit
The newly imported server certificate will appear in the left pane; select it and click Add
Click on OK, then Apply for changes to take effect.
Note: A new feature which automatically updates the CA list was introduced in SGOS 6.3. Please visit KB4826 for more information
Imported Document ID: 000016897
Subscribing will provide email updates when this Article is updated. Login is required.