Some of modern browsers can detect Web Gateway Certificate as unsafe. Checking the certificate itself you maybe not directly detect the issue why your browser warn you. A while ago you might have already changed your certificate settings to use stronger signaturehashalgorithmus and you still see the warning, if not please check this article as well: MWG SSL Scanning: Browsers phasing out trust of SHA1 certificates


Error Message

I'll update this as soon i'll get a sample provided or any of you send me a picture of your Browser with this error.


How to check certificate chain


In Chrome

To show related certificat and its chain in Chrome click Menue > More Tools > Developer tools (Ctrl +Shift+I). Open "security" tab and "Show Certificate".


In Internet Explorer

Click "Lock" sign right side in your address bar and "show certificate". Most likely IE don't show this warning mentioned above.


Presented Proxy certificate


as already mentioned before the presented certificate seems to be correct.


Marked in red, its created by McAfee Certificate Authority and it use SHA256 SignatureAlgorithm. So why it is marked as unsafe?


To answer this question we will need to check presented Certificate Chain.


Certificate chain and used Root Certificate Authority


To open Root Certificate, please navigate to 3rd tab (Certificate Path) in certificate window. Select(1) and open Root Certificate(2) as shown in screenshot below.



Now as you can see in details the presented SignatureAlgorithm of used Certificate Authority is SHA1, which your browser may detect as unsafe.




Subordinate CA


Self-Signed CA

This needs to be done on CLI as a root user. You can choose a directory you have access in the UI to, in order to save time downloading and installing additional Applications like WinSCP:

Step 1:

LogIn to CLI

[root@mwgapplsm75 ~]# cd /opt/mwg/log/debug/tcpdump/

[root@mwgapplsm75 tcpdump]# openssl genrsa -aes256 -out ca-key.pem 2048

[root@mwgapplsm75 tcpdump]# openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha256

Step 2:

Download Certificate UI > Troubleshooting > Packet tracing


Step 3:

Import created Certificate and Key file

Import Cert.JPG


Step 4:

Save your changes and verify root CA's signaturealgorithm



Fixed in Version 7.7.X

When you update older Version to 7.7.X you will need to generate new Certificate before new settings will take effect.



New Root CA looks than like this one, created on