Showing results for 
Search instead for 
Did you mean: 

How to open HTTPS sites without certificate error?

Hello All,

We have 2 groups of users in our network those using Internet.

One of this group users not members of the our network. They going to Internet by WiFi and when trying to open HTTPS sites they have next same page with Certificate error:

I know that for solve this, I need install certificate.

But it's not solve for this, because we have not possibility to teach all users.

Please, give me any ideas how to open HTTPS sites without this Certificate Error page?!!

Version of the Web Gateway is 7.3.x

4 Replies

Re: How to open HTTPS sites without certificate error?


the only option I see is to disable SSL Scanner for the user group that it not able to install the root certificate. MWG with enabled Content Inspection works as a Man-In-The-Middle to look into the encrypted data. To keep the certificates signed by the original authority MWG would require access to the private keys for those certificates. Without access to those keys MWG has to present its own certificate in order to encrypt the connection. Those certificates are signed by the Root CA that is hosted on MWG. You need a root CA that is signed by a CA that is trusted in the browser, which should be easily doable in a controlled environment such as a Windows Domain.

Clients not under your control have to install a Root CA, otherwise they will keep seeing the errors. The only option I see here is to turn SSL Scanning off which causes MWG to tunnel the original certificate to the client. You cannot filter within SSL tunnels, of course. You could use some kind of a welcome page that is displayed when a user starts to access the internet, which explains how to install the CA.

Maybe others can share how they manage SSL Scanner / Root CAs.



Re: How to open HTTPS sites without certificate error?

Hi folks.

I hope there is idea which could work.

Let's say we have proxy FQDN, I think, you can get verified SSL certificate from public CA and use this certificate in settings for "SSL client Context with CA". There can be imported external certificate which is used for MITM during SSL Scanner decryption.

If such cert will come from public CA, it will be trusted for internal and for external users and browser should not ask for confirmation. You can test is with StartSLL free 1Y certificate.


Re: How to open HTTPS sites without certificate error?


I don't think this will work.

You will get a server certificate for "". When you browse to through MWG the SSL Scanner creates a NEW certificate which has as the subject name. This certificate is then signed with the certificate you imported into the SSL Scanner setting.

You cannog sign server certificates with a server certificate... if this was possible you could easily use your publically trusted certificate and make yourself certificates for or other major sites. This is not what CA vendors want, therefore it won't be possible.

It would be possible to make such a setup if you obtain a CA which is signed by a trusted CA. But even if you are able to obtain such a CA it will most likely be revoked sooner or later, because you are not allowed to use such a CA to create certificates for any domain you like - unless this is explicitly allowed, which I assume is not.

You could also use an SSL Client Context without CA and feed it with a trusted server certificate. But then you go to and MWG presents your (trusted) certificate for The browser will complain that there is a hostname mismatch between requested domain and certificate subject.



Re: How to open HTTPS sites without certificate error?


Andre is right. In order for MWG to perform SSL scanning it has to be a CA or sub-ordinate CA that has the ability to generate other SSL certs. (Thats the key here) A public CA will not issue a certificate that has signing authority for other SSL certs. Therefore, the only way to do SSL scanning is to have MWG as its own CA, or as a  sub-ordinate CA from an internal Certificate authority. If you had a Microsoft CA already on the domain and its CA certificate has been distributed to the clients already, by making MWG a sub-ordinate from your own Microsoft CA, you could do SSL scanning because the internal Microsoft CA is already deployed to the client. There is no other way for MWG or any other SSL decryption product.

For your guest/wifi users: Only option is to disable the SSL scanning or implement the CA.

Best Regards


More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community