Showing results for 
Search instead for 
Did you mean: 

Cert Issue


we tried to connect to


this is blocked due to Unknown CA.


I Tried to figure out which is the CA we don't know. This is the path we got without ssl interception. For me this looks ok. 


All certs in this path are wellknown... 


Any Idea?

5 Replies
McAfee Employee tpollok
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Cert Issue

Hi @feickholt,


I just checked this on a Web Gateway running 7.8.2 with a default config. With HTTPS Scanning enabled the site is working fine.


Maybe you can check which setting is used in the rule to check the certificate and also you can check if there is new content for the Known CAs list.


Re: Cert Issue

We use 7.7.2

and uses the Known CAs supplied by MC.

I reloaded the List manually nothing changed

Here is the rule Unbenannt.PNG


Re: Cert Issue

something strange is regarding the certificate Chain length. The property show 1 but the right value must be 4

Re: Cert Issue

Hi Frank,

Tried to reproduce the issue on my side as well, running with default McAfee supplied list of known CAs, but without any success.

Also double-checked the certificate path and for me this looks totally fine just as you mentioned.

Not sure what might go wrong there, looks like a strange behaviour within your policy/environment...


McAfee Employee aloksard
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Cert Issue


Hope you are doing well.

Below is the certificate being received at my end and website works fine with proxy and SSL enabled:-


Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4861
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 4857
Certificates Length: 4854
Certificates (4854 bytes)
Certificate Length: 1422
Certificate: 3082058a30820472a0030201020210097e6b210aaf0fbca1... (id-at-commonName=*
Certificate Length: 1101
Certificate: 3082044930820331a0030201020213067f94578587e8ac77... (id-at-commonName=Amazon,id-at-organizationalUnitName=Server CA 1B,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1174
Certificate: 308204923082037aa0030201020213067f944a2a27cdf3fa... (id-at-commonName=Amazon Root CA 1,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1145
Certificate: 308204753082035da003020102020900a70e4a4c3482b77f... (id-at-commonName=Starfield Services Root Certificate Authority ,id-at-organizationName=Starfield Technologies, Inc.,id-at-localityName=Scottsdale,id-at-stateOrProvinceName=A


I would once suggest to again check the certificate being received to MWG with SSL inspection enabled  and check if certificate autheorities is present in the CA list being used in your policy.


If all look fine then you may open a case with support for further investigation.



Alok Sarda



More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community