Overview

The instructions mentioned in GFI WebMonitor support articles "Deploy the HTTPS Inspection certificate via GPO" and "Deploy the HTTPS Inspection certificate manually" to enable HTTPS scanning were followed but the generated certificates are marked as not trusted even after deploying the server certificate.

Requirements

Administrator privileges in GFI WebMonitor.

Root Cause

The wrong type of certificate.

Resolution

• When HTTPS scanning option is enabled, GFI WebMonitor must decrypt HTTPS websites and re-encrypt these websites for secure transmission to the client browser with self-generated certificates.
  
  
• As GFI WebMonitor must act as a Certification Authority, it requires a valid root certificate signed by a trusted Certification Authority (CA), a standard SSL certificate will not be enough.
  
  
• To import the certificate and deploy it as a trusted root on client computers, please follow instructions in below links:

  • Import an existing HTTPS Scanning certificate.

  • Deploy an HTTPS Inspection Certificate Manually.

  • Deploy an HTTPS Inspection Certificate Using GPO.
    
    
    

Validation

After the certificate is properly imported and deployed, no certificate warnings will be shown in client computers when trying to browse to HTTPS sites.