You may notice certificate errors occurring on a select set of websites after enabling Application Controls on the Umbrella Secure Web Gateway (SWG). If these certificate errors are consistently Digicert Certificates, please read on. If these certificates are all certificates, please consult our documentation for deploying the Cisco Root CA to in order to perform SSL decryption.
Explanation and Resolution
Certificate errors occurring after Application Controls are enabled are most commonly due to blocking the certificate management service Digicert under the "Security" category. With Digicert services blocked, the certificate revocation check performed by clients to validate the certificate will fail for all Digicert signed certificates.
The most common cause is a block of the "Security" application category which will automatically include Digicert which will cause significant certificate issues.
To resolve this issue, ensure that Digicert OCSP and Digicert are not blocked by Application Settings. See the below configuration as an example of a configuration that requires adjustment.
Additionally, ensure that the policy expected to apply is applying by visiting policy-http://debug.checkumbrella.com.
To confirm resolution, check your Activity Search for a switch of ocsp.digicert.com queries from blocked to allowed.