No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

Although FW ssl certifacate is installed on client PC the https warning is still appears each time we try to connect to https URL.

Publication Date:  2019-06-03  |   Views:  197  |   Downloads:  0  |   Author:  m84103073  |   Document ID:  EKB1100017288

Contents

Issue Description

Configured the SSL-encrypted Traffic Detection Function on USG to check content security of decrypted traffic Using the below configuration example :

https://support.huawei.com/hedex/pages/EDOC1000154459AEH0731H/07/EDOC1000154459AEH0731H/07/resources/admin/sec_admin_decrption_policy_0017.html?ft=0&fe=10&hib=6.16.7.3&id=sec_admin_ssldecrypt_0009&text=Web%253A%2520Example%2520for%2520Using%2520the%2520SSL-encrypted%2520Traffic%2520Detection%2520Function%2520to%2520Protect%2520Client&docid=EDOC1000154459

 Although FW ssl certificate is installed on client PC the https warning is still appears each time you try to connect to https URL which consider as bad experience for customer.


Alarm Information



Handling Process

After checking the configuration and the Mechanism of the SSL-encrypted Traffic Detection we found that this behavior is because there is no  CA certificate issued by a trusted organization imported to the firewall .



Let me explain why simply :

-          The firewall works as a proxy between the HTTPS server and the client to be able to encrypt and decrypt the traffic between them .

When we configure SSL-encrypted Traffic Detection we create 2 certificates on the firewall 


One of them we mark is as Trust :


And the other one marked as Untrusted


Only the trusted certificate is uploaded to the client and make it trusted on PC .

 

-          The main idea is when and why the USG use these 2 certificates which will be explained shortly


The firewall Receive certificate from the HTTPS server to be able to encrypt and decrypt the traffic between the server and USG …. Then the USG validate the HTTPS server certificate using the uploaded CA certificate issued by the trusted organization that should be imported to the firewall .

The result of the validation will make the firewall decide which certificate (trusted or the untrusted) to send to the client after modifying it as above so the USG can encrypt and decrypt traffic from and to the client …

If the server certificate is validated successfully , the USG send the client the trusted SSL decryption certificatewhich is uploaded and trusted on the client so there will be no warning message .

If the server certificate is not validated , the USG will send the untrusted SSL decryption certificate to the client which is not uploaded and trusted on the client so there will be warning message to warn the users that the server certificate is not validated and make them choose wither to proceed or not .

 

Please refer to the following :




Root Cause

There is no  CA certificate issued by a trusted organization imported to the firewall .


Solution

Import the CA certificate issued by a trusted organization.

-          Choose Object > Certificates > CA Certificates.


- Click Update to import the CA certificate.



Or as a work arround you can upload the untrusted SSL decryption certificate to the client ( such as the trusted SSL decryption certificate ) and in this case even if the HTTPS server certificate is not validated and the USG sent the untrusted SSL decryption certificate to the client there will no warning messege appear .