Loading...

Knowledge Center


Browsers detect the Web Gateway certificate as unsafe
Technical Articles ID:   KB89211
Last Modified:  12/20/2018

Environment

McAfee Web Gateway (MWG) 7.x

Problem

Some modern browsers may detect the Web Gateway certificate as unsafe. Starting January 1, 2016 most browsers are phasing out trust of certificates signed using SHA1. Any certificates signed after January 1 will be untrusted in some way (it varies based on the browser); certificates signed before January 1 are still accepted.

MWG will issue certificates for the sites that are SSL scanned, so the signing date will be after January 1, 2016. To avoid any issues, ensure that you are not using SHA1 in your SSL scanning settings (use SHA256 instead). If you migrated from older versions to newer versions, this setting will not be updated automatically.

Mozilla Firefox will actively block you from the site and display the following:
 
This Connection is Untrusted
 
Under Technical Details you see the report:
 
The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.
 
Google Chrome will display a passive warning in the address bar, it will strike out the https: part of the URL, and when you select the lock icon in the bar it will display the following:
 
The certificate for this site expires in 2017 or later, and the certificate-chain contains a certificate signed using SHA-1.

Solution

Use this solution if you are using Chrome version 57 or earlier, or your Client Context CA still uses SHA-1 Digest. To resolve this issue, configure the certificate to use SHA256 with a Key Size of 2048:
  1. Select PolicySettingsEngines.
  2. In the tree, highlight SSL Client Context with CA.
  3. In the right pane, scroll down:
     
    • For Digest, select SHA256.
    • For RSA server Key Size, select 2048.
       
  4. Apply the changes.
If you have already followed the solution but still see the https: warning, this is a notification about using an SHA-1 Certificate Authority.

To view the related certificate:
  • In Google Chrome:
    1. Select MenuMore ToolsDeveloper tools.
    2. Select the Security tab, and then select Show Certificate.
       
  • In Internet Explorer:
    1. Click the lock sign on the right side of your address bar.
    2. Click Show Certificate
       
To view the Certificate chain and used Root Certificate Authority:  
  1. Select the Certificate Path tab (third tab).
  2. Highlight McAfee Web Gateway, and click View Certificate.
  3. Select the Detail tab.
    • View Signature algorithm.
    • View Signature hash algorithm.
      You will see the Certificate Authority (CA) is SHA-1 signed, which your browser may detect as unsafe.
       
  4. View the other solutions listed in this article and perform the appropriate one as per your CA and upgrade policy.

Solution

If you are using a Subordinate CA:
Follow the solution in KB75037 and ensure your Root (company) CA and your new Subordinate CA use stronger Signature algorithm than SHA-1.

Solution

To resolve this issue with a self-signed CA:
When you are running a version of MWG earlier than 7.7.X and do not want to update your appliance, generate a new Self-Signed CA from the appliance command line.
  1. Log on to the MWG command line as a root user, and do the following:
    1. Type cd /opt/mwg/log/debug/tcpdump/ and press ENTER.
      NOTE: We have chosen a directory the MWG manager has access to, to save time downloading and avoid installing additional Applications such as WinSCP.
       
    2. Type openssl genrsa -aes256 -out cd-key.pem 2048 and press ENTER.
    3. Type openssl req -x509 -new -nodes -extensions v3_ca -key ca-key.pem -days 1024 -out ca-root.pem -sha256 and press ENTER.
       
  2. Download the certificate:
    1. Open the MWG manager.
    2. Select TroubleshootingPacket tracing.
    3. Under Results (dump) select the certificates ca-key.pem and ca-root.pem.
    4. Click Download.
       
  3. Import the created Certificate and Key file:
    1. Open the MWG manager.
    2. Select PolicySettings.
    3. In the left pane, select SSL Client Context with CA.
    4. Select your Default CA
    5. Click Import
    6. Save the changes.
       
  4. Verify the root CA's signature algorithm:
    1. View the related certificate:
      • In Google Chrome:
        1. Select MenuMore ToolsDeveloper tools.
        2. Select the Security tab, and then select Show Certificate.
      • In Internet Explorer:
        1. Click the lock sign on the right side the your address bar.
        2. Click Show Certificate
           
    2. View the Certificate chain and used Root Certificate Authority:  
      1. Select the Certificate Path tab (third tab).
      2. Highlight McAfee Web Gateway Certificate, and click View Certificate.
      3. Select the Detail tab.
        • View Signature algorithm.
        • View Signature hash algorithm.

Solution

Upgrade to MWG 7.7.x, and generate a new certificate:
  1. Upgrade to MWG 7.7.x.
  2. Generate a new certificate:
    1. Open the MWG manager.
    2. Select PolicySettings.
    3. In the left-pane, under SSL Client Context with CA highlight Default CA.
    4. In the right-pane, next to Certificate Authority, click Generate.
    5. In the Generate Certificate Authority pop-up message, review the settings, leave as default, and click OK

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.