Description

Some of modern browsers can detect Web Gateway Certificate as unsafe. Checking the certificate itself you maybe not directly detect the issue why your browser warn you. A while ago you might have already changed your certificate settings to use stronger signaturehashalgorithmus and you still see the warning, if not please check this article as well: MWG SSL Scanning: Browsers phasing out trust of SHA1 certificates

 

Error Message

I'll update this as soon i'll get a sample provided or any of you send me a picture of your Browser with this error.

 

How to check certificate chain

 

In Chrome

To show related certificat and its chain in Chrome click Menue > More Tools > Developer tools (Ctrl +Shift+I). Open "security" tab and "Show Certificate".

 

In Internet Explorer

Click "Lock" sign right side in your address bar and "show certificate". Most likely IE don't show this warning mentioned above.

 

Presented Proxy certificate

 

as already mentioned before the presented certificate seems to be correct.

cert1.PNG

Marked in red, its created by McAfee Certificate Authority and it use SHA256 SignatureAlgorithm. So why it is marked as unsafe?

 

To answer this question we will need to check presented Certificate Chain.

 

Certificate chain and used Root Certificate Authority

 

To open Root Certificate, please navigate to 3rd tab (Certificate Path) in certificate window. Select(1) and open Root Certificate(2) as shown in screenshot below.

cert2_LI.jpg

 

Now as you can see in details the presented SignatureAlgorithm of used Certificate Authority is SHA1, which your browser may detect as unsafe.

 

Solutions

 

Subordinate CA

https://kb.mcafee.com/agent/index?page=content&id=KB75037

 

Self-Signed CA

This needs to be done on CLI as a root user. You can choose a directory you have access in the UI to, in order to save time downloading and installing additional Applications like WinSCP:

Step 1:

LogIn to CLI

[root@mwgapplsm75 ~]# cd /opt/mwg/log/debug/tcpdump/

[root@mwgapplsm75 tcpdump]# openssl genrsa -aes256 -out ca-key.pem 2048

[root@mwgapplsm75 tcpdump]# openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha256

Step 2:

Download Certificate UI > Troubleshooting > Packet tracing

download_cert.JPG

Step 3:

Import created Certificate and Key file

Import Cert.JPG

 

Step 4:

Save your changes and verify root CA's signaturealgorithm

new_cert1.JPG

 

Fixed in Version 7.7.X

When you update older Version to 7.7.X you will need to generate new Certificate before new settings will take effect.

Generate_new_cert.JPG

 

New Root CA looks than like this one, created on 7.7.1.3

new_cert.JPG