Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 2 answers
  • Subscribers 43 subscribers
  • Views 5655 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL Inspection - Websites showing up as Insecure despite having added Appliance Root CA

Stephen Youngquist

Hello,

I am setting up a new firewall, and feel like I am missing something.  The default settings are currently applied for SSL Inspection.  I have downloaded the Appliance Root CA from the Web > General Settings, as well as the resigning certificate from the Profiles > Decryption Profile setting.  I have added those to the Trusted Root Authority store on my Windows 8 laptop.  This made it so that secure websites will load without being blocked, but in the address bar of my browser (Edge, in this case), they are still showing up as "Not Secure" - see screenshot.  This seems like it must be an issue that has a really basic solution that I am missing, but hopefully somebody here can help me out and point me in the right direction.



This thread was automatically locked due to age.
  • 0

    I was thinking the issue is pinned certificates, but I noticed this problem occurring lately, where almost all google sites (google search, youtube) were "insecure" while logged into google, but loading the same YouTube video or google search in a different browser while logged out of google (even with the CA installed in the browser in Firefox) showed as a secure connection. I'm fairly certain this problem began recently. 

  • 0 in reply to rfcat_vk

    Sometimes I have that issue, when installing the CA in the browser, the browser loads the old site from the cache in history instead of loading the site from scratch.

    I would have to download the Eicar test file while using incognito mode in order to force the browser to get the file from the site instead of retrieving it from cache, for troubleshooting whether https inspection was really working or not.

  • 0 in reply to alan weir

    An update, I finally found a W10 box that will update to the latest fixes etc from MS.

    I have installed the XG115W CA in two places on the W10 box.

    Results.

    Access to the XG115W is still shown as insecure

    Some sites work correctly including google, but not all.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I would think of a CA certificate at the wrong place or a 3rd Party Endpoint Security installed, checking HTTPS connections. Disabling "system application_classification" should not be required.

    Info: Microsoft has switched to browser CA certificates in Edge. Just like firefox does.

    https://learn.microsoft.com/en-us/deployedge/microsoft-edge-security-cert-verification

    In past versions of Microsoft Edge, both the default certificate trust list and the certificate verifier logic were provided by underlying operating system (OS) platform.

    For managed devices, starting in Microsoft Edge 112 on Windows and macOS, both the default certificate trust list and the certificate verifier are provided by and shipped with the browser. This approach decouples the list and verifier from the host operating system's root store for the default verification behavior. See the rollout timeline and testing guidance for more detail about the timing of the change.

    Even after the change, in addition to trusting the built-in roots that ship with Microsoft Edge, the browser queries the underlying platform for—and trusts—locally installed roots that users and/or enterprises installed. As a result, scenarios where a user or enterprise installed more roots to the host operating system's root store should continue to work.

Unfiltered HTML