Skyhigh Security Secure Web Gateway Cloud Certificate Bundle
Skyhigh Security is updating the default Certificate bundle from McAfee to Skyhigh Security certificate in the Skyhigh Secure Web Gateway (SWG) for Cloud. The new bundle contains Skyhigh Security signed certificates. This change will affect the HTTPS scanning and SAML logins if you are using the default McAfee certificate bundle. No change is required if you are using the custom certificate.
If you have a Skyhigh Secure Web Gateway for Cloud that works for you without trusting the current McAfee-branded certificates, then no actions are required (you won't need the new certificate either).
NOTE: Use this default certificate when the customer-specific certificate cannot be used, i.e., if SWG is not able to determine the customer where they cannot present their own created certificate. This typically happens for errors before the authentication. The Skyhigh certificates must be deployed to endpoint trust stores to see the error page displayed by SWG. Otherwise, browsers will typically present their security warning page pointing out that a self-signed certificate imposes a risk and thus shadowing the error response sent by SWG.
Customer acknowledges that the Software is subject to U.S. and when applicable, European Union export regulations. Customer shall comply with applicable export and import laws and regulations for the jurisdiction in which the Software will be imported and/or exported. Customer shall not export the Software to any individual, entity or country prohibited by applicable law or regulation. Customer is responsible, at Customer’s own expense, for any local government permits, licenses or approvals required for importing and/or exporting the Software.
Exports and re-exports of Skyhigh Security products are subject to U.S. export controls and sanctions administered by the Commerce Department’s Bureau of Industry and Security (BIS) under the U.S. Export Administration Regulations (EAR). This page provides export control information regarding our software and hardware products. Our products provide encryption features that are subject to the EAR and other U.S. laws.
Update Skyhigh Certificate
Make sure to complete the following before Nov 15, 2023:
- Download the new Certificate Bundle from Skyhigh Security if you are using the default Certificate bundle.
- Import the new Skyhigh Security certificate into the Trusted root CA Store of all your endpoints before Nov 15, 2023. Post this date, Skyhigh Security won’t be using McAfee branded certificate any longer. You may choose to remove the McAfee-branded Root CA from your trust store once the Skyhigh certificate is used.
- If step 2 is not performed before Nov 15, 2023, the end users will see Untrusted certificate messages in their browsers, and SAML authentication in web policy flows might break.
- No actions are needed if the default Certificate bundle is NOT trusted.
NOTE: You can install the new certificate bundle to coexistence with the old certificate bundle before Nov 15, 2023, to enable a seamless migration without affecting any services.
How do I verify that I have replace the new certificate bundle successfully?
Once you install the Skyhigh Security certificate, try to browse https://testca.api.wgcs.skyhigh.cloud/. If the browser can access this URL without a need to accept the certificate, then the new certificate is installed correctly. You can check the root CA’s CN name when this URL is accessed.
Where can I download the new certificate package?
Click SkyhighSecurityOpsRootCA2023 to download the new certificate.
Can I have both the old certificate and new exist together without any problem?
Can I test the new certificate prior to November 15, 2023?
Yes. Once the new Skyhigh Security certificate is installed, try to browse https://testca.api.wgcs.skyhigh.cloud. If the browser can open this URL without a need to accept the certificate, then the new certificate is installed correctly. One may even check the root CA’s CN name when this URL is accessed.