Troubleshoot SWG Certificate Errors for Digicert Certificates

Introduction

This document describes how to troubleshoot Umbrella Secure Web Gateway (SWG) certificate errors occurring only for Digicert-signed certificates.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on Umbrella Secure Web Gateway.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Problem

You notice certificate errors occurring on a select set of websites after enabling Application Controls on the Umbrella Secure Web Gateway (SWG). If these certificate errors are consistently Digicert certificates, continue reading this article. If these certificates are all certificates, please consult Umbrella documentation for deploying the Cisco Root CA to in order to perform SSL decryption.

Solution

Certificate errors occurring after Application Controls are enabled are most commonly due to blocking the certificate management service Digicert under the Security category. With Digicert services blocked, the certificate revocation check performed by clients to validate the certificate can fail for all Digicert-signed certificates.

The most common cause is a block of the Security application category, which can automatically include Digicert and cause significant certificate issues.

To resolve this issue, ensure that Digicert OCSP and Digicert are not blocked by Application Settings. See the configuration in this screenshot as an example of a configuration that requires adjustment:

360051888492

Additionally, ensure that the policy expected to apply is applying by visiting http://policy-debug.checkumbrella.com/

To confirm this resolution, check your Activity Search for a switch of ocsp.digicert.com queries from "Blocked" to "Allowed."