Symantec/Bluecoat ProxySG Doesn’t Trust RapidSSL Intermediate Certificate

When SSL interception is configured on a full proxy, these errors are quite common mostly due to some websites having expired certificates or the CN in the certificate not matching the actual hostname in the browser.

This is what you see in the browser when the proxysg fails SSL verification of the OCS – original content server.

Untrusted SSL Server Certificate (ssl_server_cert_untrusted_issuer) 

Proxysg error Untrusted SSL Server Certificate (ssl_server_cert_untrusted_issuer)
Browser error when proxy fails ssl cert validation

This case was a bit different as the certificate on the site was fine but the proxysg did not trust the intermediate cert in the chain. 

Here you can see the RapidSSL intermediate cert when accessing the website directly without the proxy.

rapidssl intermediate cert
browser showing the rapidssl intermediate cert


If you look at the chrome certificate store the RapidSSL intermediate cert is present under intermediate certs and the Digicert root cert under trusted root certs.

Chrome certificate store
Chrome cert store

However the cert store on the proxysg only contains the Digicert root cert in its certificate store.

proxysg certificate store
proxysg certificate store


And hence why the connection from the proxy to the server breaks as the proxy doesn’t trust the certificate!

The way out of this is to either use a VPM policy by disabling the server certificate validation in an SSL Access Layer.

vpn policy server cert validation


..or by exporting the RapidSSL intermediate certificate from your browser and importing it to the proxysg. Always apply changes in proxysg for them to take effect.

importing cert to proxysg CA

To import you just open the cert in notepad and paste it using the paste from clipboard option as in the image. 

It’s not done, the new cert needs to be added to browser trusted for it to work. 

add cert to browser trusted


Once you do either of these the browser should load the page correctly through the proxysg!