Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 38 subscribers
  • Views 1137 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Decryption issue, unknown encrypting CA

Christian Fournier

Hello everyone,

I have a weird problem with https decryption. First, let me describe our equipment:

- AD network with 2 DC and internal CA

- An XG 125 router for internet access, firmware 19.0.0 GA-Build317

- Decryption is set up on the router, a subCA has been generated to re-encrypt previously decrypted traffic.

Everything works fine, except for some sites. For example, if you visit https://www.insee.fr , the browser indicates SEC_ERROR_UNKNOWN_ISSUER, and this site is encrypted with a certificate issued by "Sophos SSL Untrusted CA_KBeHDi0aSFUuBkKUVk6XCNC", which is clearly not my subCA!

I checked on the router and and no trace of this certificate!

Does anyone have any idea what is going on?



This thread was automatically locked due to age.
Parents
  • 0

    I have this exact same problem on my home network; I opened ticket 05662474 with supportt.  After some remote troubleshooting, the support engineer believed that if I regenerated the key it would fix the problem.  I didn't try that as I was too busy crashing on something else ,but eventually, I'll try it. 

Reply
  • 0

    I have this exact same problem on my home network; I opened ticket 05662474 with supportt.  After some remote troubleshooting, the support engineer believed that if I regenerated the key it would fix the problem.  I didn't try that as I was too busy crashing on something else ,but eventually, I'll try it. 

Children
  • 0 in reply to Brian1941

    I must add that I see this problem on several other installations I manage. Same sites, same problems of bad certificate but encrypted by another untrusted CA. So it's not "that" router related, so I don't think that regenerating the key (SecurityAppliance_SSL_CA I suppose) would fix it.

Unfiltered HTML