"Client has not installed CA certificate" error in SmartView Tracker
"Client has not installed CA certificate" log indicates, in most of cases, that an application or client browser fails to validate the server certificate.
Main reason for that is that the generated gateway CA was not deployed on the clients. For instructions how to deploy CA certificate, refer to sk65123.
In this case, log does not indicate an error but points to a missing step in HTTPS Inspection deployment.
There might be other cases when such logs will be generated, such as:
- The DN in the certificate does not match the actual URL (for example, when you browse to https://www.gmail.com, the DN in the certificate states mail.google.com. This is also the case with certain sites that use Content Distribution Networks.) This is a limitation related to specific sites and cannot be solved on gateway. This Log can be ignored.
- Some applications may use their own internal trusted CAs list. For HTTPS Inspection to work with these applications the Gateway CA needs to be deployed in the applications internal trusted CAs list. Some applications may fail to connect if the gateway CA cannot be added to their CA list. In these instances a Bypass rule should be used for HTTPS Inspection to allow the application to connect..
- Server certificate is untrusted by the gateway. By design, a self-signed untrusted CA is generated by gateway and always results in such log. If Server CA should be trusted, refer to sk65123 to add it to trusted CAs list on gateway.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.