Troubleshooting Certificate Verification Failures

The certificate’s “Valid from” date is in the future.

Verify the failure by accessing the same URL without Content Gateway and check the “Valid from ---- to ” fields. The “Valid

from” date should be a date in the future.

If the Verify entire certificate chain option is enabled, the “Valid from” date of every certificate in the chain may have to be checked. Look for the “depth=” value in the error message for the level in the chain at which the error occurred.

Note: Also check that the time and date are set correctly on the Content Gateway host system. To check the time in the Content Gateway manager, go to Monitor > My Proxy > Alarms.

The certificate’s “Valid to” date is in the past.

Verify the failure by accessing the same URL without Content Gateway and check the “Valid from ---- to ” fields. The “Valid to”

field should be a date in the past.

If the Verify entire certificate chain option is enabled, the expiration date of every certificate in the chain may have to be checked. Look for the “depth=” value in the error message for the level in the chain at which the error occurred.

The offered certificate is self-signed and the same certificate cannot be found in the list of trusted certificates.

Verify the failure by accessing the same URL without Content Gateway. The browser should display the same error.

The certificate chain cannot be built up due to an untrusted self-signed certificate, or the root CA is not yet added to the CA tree.

To verify if the failure is due to an untrusted self-signed certificate in the chain, access the URL without Content Gateway to produce the same error.

When a certificate is signed by its own issuer, it is assumed to be the root CA. Verify if the root CA is listed on the CA tree by going to Configure > SSL > Certificates.

This is a common error, especially with network equipment that includes HTTPS management interfaces. If the devices are internal to your network, you may want to bypass proxying altogether.

To resolve the issue, you have to import a certificate from a trusted source.

The issuer certificate of an untrusted certificate cannot be found.

When this failure occurs, the error message displays “depth= 0”, which indicates that the problem is the peer or local issuer certificate. A trusted CA certificate (depth= 1) is required.

Investigate the problem by accessing the site without Content Gateway and view the certificate in the browser. To identify the certificate from the Certification Path that does not appear in the CA tree, look up one level in the chain. Then, compare the identified certificate to the CA tree to verify the missing certificate (Configure > SSL > Certificates). Make a copy of the missing certificate and add it to the trusted certificate tree. See How do I copy a certificate from my browser to the CA tree?

Remove the incident from the Incident List and then access the site again to confirm that the failure is cleared.

The certificate could not be verified because the Certification Path (certificate chain) contains only one certificate and it is not self- signed.

To verify the failure, access the site without Content Gateway, examine the certificate, and verify that the Certification Path includes only 1 certificate and that it is not self-signed. The root CA that signed the certificate must be part of the chain to avert this error.

The certificate has been revoked. This is a serious security alert.

Content Gateway has learned via the CRL or OCSP that the Certificate Authority that signed the certificate has revoked the certificate. A Web search can lead to good information about why the certificate was revoked.

To verify the failure, access the site without Content Gateway. The browser should encounter the same error. Also, submit the URL to a web-hosted SSL certificate checking tool.

The certificate is invalid.

Either the certificate is not a CA or its extensions are not consistent with the supplied purpose.

The Common Name of the certificate does not match the specified URL.

Due to the way that certificates are constructed and URLs specified, this can be a common error.

To verify the failure, access the site without Content Gateway, open the certificate, and verify that the Common Name or Subject Alternative Name, if present, does not match the fully qualified hostname in the URL.

If your IT security policy permits it, it may work best to configure Verification Bypass to allow your users to bypass the warning at their discretion. Forcepoint Web Security has additional protections to detect if websites are being impersonated. The SSL Verification Bypass feature only allows the user to continue to the site. Web protection features of Forcepoint Web Security are not bypassed by this feature.

A common error when OCSP verification is enabled.

To verify the failure, access the site with an OCSP-supported browser and without Content Gateway. The error should occur.

A new CA was added to the CA tree, but is explicitly denied by Content Gateway.

To verify and remediate the condition, log on to the Content Gateway manager and go to Configure > SSL > Certificates > Certificates Authorities. The new CA should be listed with a red cross to the left. This CA was offered as part of the SSL handshake and added to the CA tree with the status: untrusted.

After validating the CA with Content Gateway, set the allow or deny status. From the Certificate Authorities page, select the CA to view the deny and allow options. If you elect to allow the CA, delete the incident and go to the site to verify access.