The following error may be presented when visiting a HTTPS website via the Umbrella Secure Web Gateway. This indicates that it is not possible to validate the websites' certificate.
515 Upstream Certificate Untrusted
Umbrella validates the digital certificate presented by websites to ensure the authenticity of the server, and to make sure the certificate is issued by a trusted source.
Certificate problems can occur for a number of reasons. Usually when this error is shown the same website would be inaccessible (or present a warning/error page) when visited in a normal web browser without using the Umbrella SWG. For security reasons the Umbrella Secure Web Gateway does not allow an end user to bypass a certificate error.
- Certificate not issued by a trusted root authority
Umbrella maintain a list of root certification authorities (CAs) that are allowed to identify websites. The certificate must be signed by one of these authorities. Umbrella obtain the list of trusted authorities from a common source used in popular web browsers. If you believe SWG does not yet trust a legitimate CA then please contact umbrella support.
- Certificate hostname does not match target URL
Certificate validation requires that the hostname(s) defined in the certificate match the intended URL that the user attempted to access (for example, the URL typed in the address bar). Otherwise, the certificate is invalid.
- Certificate Expired
The website certificate may be expired
- Certificate Revoked
The website certificate may have been revoked by the Root CA which could indicate it is being used fraudulently.
- Intermediate CA chain not presented by website
Websites should provide a chain of certificates (including any intermediate CA) to clients so we can verify the complete chain of trust - up to a Root CA. If this chain is not present then Umbrella may not be able to validate the certificate properly. Some certificates use an extension called "Authority Access Information (RFC4325)" to allow the client to automatically find the Intermediate certificates. Umbrella supports this feature, but not in all configurations . You must ensure Umbrella File Inspection is enabled for this functionality to be possible. Note that allowing a domain via a destination list will disable file inspection.
- Invalid characters in hostname
SWG is unable to perform certificate validation when the hostname contains invalid characters. Valid characters in an internet hostname include alphabet (A-Z), digits (0-9), minus sign (-), and period (.) as defined in RFC952 / RFC 1123. Some web browsers may allow these characters, but SWG does not support them.
It is possible to bypass certificate errors on an individual basis using the 'Selective Decryption' feature in Umbrella web policies. This is only recommended when the administrator trusts the authenticity of the website. For more information please contact Umbrella technical support.