Install Encrypted Traffic Certificates
While root certificates are required when SSL Interception is enabled, Symantec strongly recommends installing the Web Security Service root certificates on all client systems independent of the SSL setting. One reason is that a majority of social networking sites use SSL, which means the Web Security Service must perform some SSL interception for policy checks and enforcement. Without the certificates, clients receive Untrusted Issuer warnings, which generates support/IT inquiries and loss of productivity.
About the Root Certificate Recommendation
If you elect to not enable SSL interception, Symantec strongly recommends that you still deploy the Web Security Service root certificate to clients because some SSL interception is required for policy enforcement against web applications.
Tip: All Intermediate CAs used for certificate emulate are signed with SHA-2 (SHA256).
Procedure: Obtain Certificate and Propagate
Step 1—Download the SSL Root Certificate.
If you previously completed this, proceed to Step 2.
If you enable SSL Interception, users receive a security warning dialog each time they attempt to browse an encrypted (HTTPS) website because their browser does not recognize the certificate returned by the Web Security Service. To prevent this security prompt, download the certificate and propagate it to all client browsers.
Ensure that the Web Security Service root certificate is installed on all clients. For clients with Unified Agent on the endpoints, this is automatically installed and applied to Internet Explorer, Edge and Google Chrome. If your organization uses Firefox or another browser that has its own certificate store, this certificate must to be installed directly into that web browsing application.
- In Service mode, select Network > SSL Interception.
- Next to SSL Root Certificate, click Download.
- Click Save File and save the certificate to an internally accessible location, such as a server that hosts applications provided by IT.
Step 2—Distribute or install the certificate on supported browsers.
Propagate the cert to all supported client browsers. One way to do this is to send out the link to the certificate location and instruct users how to install it. Select the following links for browser-specific installation instructions.