Certificates do not meet pinning requirements MacOS

edited September 16 in Firebox - Proxies

Hi All,

I've had to upgrade some of our internal Apple Mac workstations from Sierra 10.12 / High Sierra 10.13 to Catalina 10.15 and Big Sur 11. We've had HTTPS packet inspection running for a while on the older versions of MacOS by adding the Watchguard Certs locally as allowed to do everything.

Fireware is 12.7.0 on M500 cluster.

Since upgrading the MacOS The workstations have had issues with all HTTPS site connections reporting, This connection is not private. If I look at the certificate it show the proxy cert and gives the error in the title above. (using Safari as the browser)

Has anybody seen this and do you have a solutions to keep Content inspections working.

At present I've had to move the Apple's to a plain HTTPS firewall rule without inspection.

The Certificate from the firewall is the default Cert, I've not made any changes to its internal cert.

I hope this make sense to you all.
Regards,
Dave.

Comments

  • I've just managed to get my hands on a Mac to test and It looks like
    Safari 14.1.2 reports this error.
    Firefox 92.0 works fine, no errors
    Chrome 93.0.4577.82 report NET:: ERR_CERT_WEAK_KEY

    accessing any HTTPS site. All are showing the Firewall proxy Cert.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @DaveBowker
    Depending on when the M500 was deployed, it may have generated weaker cert pairs. The firewall uses the "proxy authority" certificate for content inspection, which is what it sounds like you have enabled.

    If you're using an older cert, you can "upgrade" the cert in place. However, this will change the cert in use, and the new one must be imported into the clients. You can also use windows certificate services to make a CSR and sign it on the AD's cert server.

    please see the article here:
    (Important Information about Firebox Certificates)
    https://www.watchguard.com/support/release-notes/fireware/12/en-US/EN_ReleaseNotes_Fireware_12_0_1/index.html#Fireware/en-US/certificates.html

    -James Carson
    WatchGuard Customer Support

Sign In to comment.