Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 6

Cert Issue


we tried to connect to


this is blocked due to Unknown CA.


I Tried to figure out which is the CA we don't know. This is the path we got without ssl interception. For me this looks ok. 


All certs in this path are wellknown... 


Any Idea?

5 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 6

Re: Cert Issue

Hi @feickholt,


I just checked this on a Web Gateway running 7.8.2 with a default config. With HTTPS Scanning enabled the site is working fine.


Maybe you can check which setting is used in the rule to check the certificate and also you can check if there is new content for the Known CAs list.

Level 10
Report Inappropriate Content
Message 3 of 6

Re: Cert Issue

We use 7.7.2

and uses the Known CAs supplied by MC.

I reloaded the List manually nothing changed

Here is the rule Unbenannt.PNG


Level 10
Report Inappropriate Content
Message 4 of 6

Re: Cert Issue

something strange is regarding the certificate Chain length. The property show 1 but the right value must be 4

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6

Re: Cert Issue

Hi Frank,

Tried to reproduce the issue on my side as well, running with default McAfee supplied list of known CAs, but without any success.

Also double-checked the certificate path and for me this looks totally fine just as you mentioned.

Not sure what might go wrong there, looks like a strange behaviour within your policy/environment...


Report Inappropriate Content
Message 6 of 6

Re: Cert Issue


Hope you are doing well.

Below is the certificate being received at my end and website works fine with proxy and SSL enabled:-


Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 4861
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 4857
Certificates Length: 4854
Certificates (4854 bytes)
Certificate Length: 1422
Certificate: 3082058a30820472a0030201020210097e6b210aaf0fbca1... (id-at-commonName=*
Certificate Length: 1101
Certificate: 3082044930820331a0030201020213067f94578587e8ac77... (id-at-commonName=Amazon,id-at-organizationalUnitName=Server CA 1B,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1174
Certificate: 308204923082037aa0030201020213067f944a2a27cdf3fa... (id-at-commonName=Amazon Root CA 1,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1145
Certificate: 308204753082035da003020102020900a70e4a4c3482b77f... (id-at-commonName=Starfield Services Root Certificate Authority ,id-at-organizationName=Starfield Technologies, Inc.,id-at-localityName=Scottsdale,id-at-stateOrProvinceName=A


I would once suggest to again check the certificate being received to MWG with SSL inspection enabled  and check if certificate autheorities is present in the CA list being used in your policy.


If all look fine then you may open a case with support for further investigation.



Alok Sarda



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community