Troubleshooting Certificate Verification Failures

Documentation | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Content Gateway SSL Certificate Verification > Troubleshooting Certificate Verification Failures

Troubleshooting Certificate Verification Failures

This section describes how to use resources in Content Gateway and on your PC to troubleshoot certificate verification failures.

As new information becomes available, updated Troubleshooting information will be posted online to Troubleshooting for Certificate Verification.


	Note Several websites offer excellent online SSL checkers that diagnose problems with SSL certificates installed on web servers. To access one of those tools, in a browser go to a Search service and search for "SSL checker".

When a failure occurs:

1.

Note the incident ID and URL in the block page displayed to the user.

2.

Log on to the Content Gateway manager and go to Configure > SSL > Incidents > Incidents List.

3.

Search for the incident ID and verify the URL.

4.

In the Message field, click the magnifying glass to view the complete details. It is important to note the "depth=" value as it indicates the location within the certificate chain where the error occurred.

If the message is:


Message	Description & Action
Certificate is not yet valid	The certificate's "Valid from" date is in the future. Verify the failure by accessing the same URL without Content Gateway and check the "Valid from ---- to ----" fields. The "Valid from" date should be a date in the future. If the Verify entire certificate chain option is enabled, the "Valid from" date of every certificate in the chain may have to be checked. Look for the "depth=" value in the error message for the level in the chain at which the error occurred. Note: Also check that the time and date are set correctly on the Content Gateway host system. To check the time in the Content Gateway manager, go to Monitor > My Proxy > Alarms.
Certificate has expired	The certificate's "Valid to" date is in the past. Verify the failure by accessing the same URL without Content Gateway and check the "Valid from ---- to ----" fields. The "Valid to" field should be a date in the past. If the Verify entire certificate chain option is enabled, the expiration date of every certificate in the chain may have to be checked. Look for the "depth=" value in the error message for the level in the chain at which the error occurred.
Self-signed certificate	The offered certificate is self-signed and the same certificate cannot be found in the list of trusted certificates. Verify the failure by accessing the same URL without Content Gateway. The browser should display the same error.
Self-signed certificate in certificate chain	The certificate chain cannot be built up due to an untrusted self-signed certificate, or the root CA is not yet added to the CA tree. To verify if the failure is due to an untrusted self-signed certificate in the chain, access the URL without Content Gateway to produce the same error. When a certificate is signed by its own issuer, it is assumed to be the root CA. Verify if the root CA is listed on the CA tree by going to Configure > SSL > Certificates. This is a common error, especially with network equipment that includes HTTPS management interfaces. If the devices are internal to your network, you may want to bypass proxying altogether. To resolve the issue, you have to import a certificate from a trusted source.
Unable to get local issuer certificate	The issuer certificate of an untrusted certificate cannot be found. When this failure occurs, the error message displays "depth= 0", which indicates that the problem is the peer or local issuer certificate. A trusted CA certificate (depth= 1) is required. Investigate the problem by accessing the site without Content Gateway and view the certificate in the browser. To identify the certificate from the Certification Path that does not appear in the CA tree, look up one level in the chain. Then, compare the identified certificate to the CA tree to verify the missing certificate (Configure > SSL > Certificates). Make a copy of the missing certificate and add it to the trusted certificate tree. See How do I copy a certificate from my browser to the CA tree? Remove the incident from the Incident List and then access the site again to confirm that the failure is cleared.
Unable to verify the first certificate	The certificate could not be verified because the Certification Path (certificate chain) contains only one certificate and it is not self-signed. To verify the failure, access the site without Content Gateway, examine the certificate, and verify that the Certification Path includes only 1 certificate and that it is not self-signed. The root CA that signed the certificate must be part of the chain to avert this error.
Certificate revoked	The certificate has been revoked. This is a serious security alert. Content Gateway has learned via the CRL or OCSP that the Certificate Authority that signed the certificate has revoked the certificate. A Web search can lead to good information about why the certificate was revoked. To verify the failure, access the site without Content Gateway. The browser should encounter the same error. Also, submit the URL to a web-hosted SSL certificate checking tool.
Invalid CA certificate	The certificate is invalid. Either the certificate is not a CA or its extensions are not consistent with the supplied purpose.
Common Name does not match URL	The Common Name of the certificate does not match the specified URL. Due to the way that certificates are constructed and URLs specified, this can be a common error. To verify the failure, access the site without Content Gateway, open the certificate, and verify that the Common Name or Subject Alternative Name, if present, does not match the fully qualified hostname in the URL. If your IT security policy permits it, it may work best to configure Verification Bypass to allow your users to bypass the warning at their discretion. Forcepoint Web Security has additional protections to detect if websites are being impersonated. The SSL Verification Bypass feature only allows the user to continue to the site. Web protection features of Forcepoint Web Security are not bypassed by this feature.
Unknown revocation state	A common error when OCSP verification is enabled. To verify the failure, access the site with an OCSP-supported browser and without Content Gateway. The error should occur.
CA explicitly denied	A new CA was added to the CA tree, but is explicitly denied by Content Gateway. To verify and remediate the condition, log on to the Content Gateway manager and go to Configure > SSL > Certificates > Certificates Authorities. The new CA should be listed with a red cross to the left. This CA was offered as part of the SSL handshake and added to the CA tree with the status: untrusted. After validating the CA with Content Gateway, set the allow or deny status. From the Certificate Authorities page, select the CA to view the deny and allow options. If you elect to allow the CA, delete the incident and go to the site to verify access.
Client certificate requested	The destination server requires a client certificate. To verify the failure, access the site without Content Gateway and confirm that the origin server is requesting a client certificate. Note: When a client certificate is required, there is an option to bypass the client certificate. The default bypass option is to create an incident by going to the SSL > Client Certificates > General page.

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Content Gateway SSL Certificate Verification > Troubleshooting Certificate Verification Failures

Copyright 2022 Forcepoint. All rights reserved.