Certificates do not meet pinning requirements MacOS
Hi All,
I've had to upgrade some of our internal Apple Mac workstations from Sierra 10.12 / High Sierra 10.13 to Catalina 10.15 and Big Sur 11. We've had HTTPS packet inspection running for a while on the older versions of MacOS by adding the Watchguard Certs locally as allowed to do everything.
Fireware is 12.7.0 on M500 cluster.
Since upgrading the MacOS The workstations have had issues with all HTTPS site connections reporting, This connection is not private. If I look at the certificate it show the proxy cert and gives the error in the title above. (using Safari as the browser)
Has anybody seen this and do you have a solutions to keep Content inspections working.
At present I've had to move the Apple's to a plain HTTPS firewall rule without inspection.
The Certificate from the firewall is the default Cert, I've not made any changes to its internal cert.
I hope this make sense to you all.
Regards,
Dave.
Comments
I've just managed to get my hands on a Mac to test and It looks like
Safari 14.1.2 reports this error.
Firefox 92.0 works fine, no errors
Chrome 93.0.4577.82 report NET:: ERR_CERT_WEAK_KEY
accessing any HTTPS site. All are showing the Firewall proxy Cert.
Hi @DaveBowker
Depending on when the M500 was deployed, it may have generated weaker cert pairs. The firewall uses the "proxy authority" certificate for content inspection, which is what it sounds like you have enabled.
If you're using an older cert, you can "upgrade" the cert in place. However, this will change the cert in use, and the new one must be imported into the clients. You can also use windows certificate services to make a CSR and sign it on the AD's cert server.
please see the article here:
(Important Information about Firebox Certificates)
https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_0_1/index.html#Fireware/en-US/certificates.html
-James Carson
WatchGuard Customer Support