Symantec/Bluecoat ProxySG Doesn’t Trust RapidSSL Intermediate Certificate
When SSL interception is configured on a full proxy, these errors are quite common mostly due to some websites having expired certificates or the CN in the certificate not matching the actual hostname in the browser.
This is what you see in the browser when the proxysg fails SSL verification of the OCS – original content server.
Untrusted SSL Server Certificate (ssl_server_cert_untrusted_
This case was a bit different as the certificate on the site was fine but the proxysg did not trust the intermediate cert in the chain.
Here you can see the RapidSSL intermediate cert when accessing the website directly without the proxy.
If you look at the chrome certificate store the RapidSSL intermediate cert is present under intermediate certs and the Digicert root cert under trusted root certs.
However the cert store on the proxysg only contains the Digicert root cert in its certificate store.
And hence why the connection from the proxy to the server breaks as the proxy doesn’t trust the certificate!
The way out of this is to either use a VPM policy by disabling the server certificate validation in an SSL Access Layer.
..or by exporting the RapidSSL intermediate certificate from your browser and importing it to the proxysg. Always apply changes in proxysg for them to take effect.
To import you just open the cert in notepad and paste it using the paste from clipboard option as in the image.
It’s not done, the new cert needs to be added to browser trusted for it to work.
Once you do either of these the browser should load the page correctly through the proxysg!