Sites blocked due to expired Root Certificate Authority on May 30, 2020

Technical Articles ID: KB92953
Last Modified: 2023-12-11 13:50:34 Etc/GMT

Environment

Skyhigh Web Gateway (SWG)

Summary

Secure web traffic (TLS) uses a certificate hierarchy to establish secure lines of communication. By design, SWG has a feature that blocks websites that use expired server certificates or websites that don't have a trusted certificate path.

When a root certificate authority (CA) expires, it causes multiple websites to use a certificate chain that's no longer valid. This broken chain causes SWG to take a block action and present users with an SWG block page.

Problem

When a user tries to access sites that use the expired CA in their certificate chain, the following message or a similar error is displayed:

Certificate verification failed

The certificate verification failed in rule 'Block Expired Server (7 Day Tolerance) and Expired CA Certificates'.

Solution

This behavior isn't a Trellix issue. This behavior is expected because the target website includes trust chains that include an expired certificate authority.

To resolve the root cause, the owner of the affected websites must update their certificate chains to remove expired CAs.

Workaround

Mitigation has been created within the Trellix Subscribed list "Known CAs" version 373. This mitigation allows SWG to find alternative valid trust chains even if the server is still sending this expired certificate chain.

To verify that you've received this list, view the update.log in the SWG GUI:
1. Open the Troubleshooting tab, click <Appliance Host name>, Log Files, Update, update.log.
2. Verify that the following lines are present:
If needed, the administrator can use the "Update Engines - Trigger Update" feature from the Configuration tab in the SWG GUI. This feature triggers the list update for all SWG appliances in your cluster. After the update has completed, you can verify with the steps above.

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

Sites blocked due to expired Root Certificate Authority on May 30, 2020

Environment

Summary

Problem

Solution

Workaround

Affected Products

Languages:

Title

Title

Knowledge Center

Sites blocked due to expired Root Certificate Authority on May 30, 2020

Environment

Summary

Problem

Solution

Workaround

Affected Products

Languages:

Choose your region

Title

Title