AVG Support Community
Share tips and solutions on AVG Products
Community topics
AllAVG Gurus
These community experts are here to help
-
Alan Binch
-
Borislav Angelov
-
Vladimir Bartl
-
Subhadeep Kanungo
-
Miloslav Serba
Mariano Ivaldi AVG for macOS adding trusted root CA certificate to WebShield's certificate store
Hello,
I have a Mac running macOS Mojave with AVG Antivirus, and I am behind a corporate firewall running its own SSL decryption. When "AVG Web Shield" is enabled, it runs SSL decryption a second time.
Since AVG Web Shield does not know of my corporate's CA certificate, all web-browsing to https websites comes to a stop, until Web Shield is disabled.
Apparently, Web Shield is not using the system's certificate keystore under Keychain Access, instead, it appears to maintain its own CA certificate store under:
/Library/Application Support/AVGAntivirus/config/CA/trusted/
I tried manually placing my corporate's PEM certificate in this directory, but AVG is not pulling it in. I see that the existing certificates have names like:
EAECFF972FA0B28D387B403B16BDD4FE7C28004366D7D9A727CA162833F90AA5.pem
0821A0523399A3F51CD7542E7F30981EFA10849D81A7A1E6C4C68E4EAF4C6C00.pem
... etc
Do I need to give my corporate's PEM certificate a special name following this coding standard? Or how can my corporate root CA certificate be added to AVG's certificate store?
We can certainly take a look into this. Could you share a screenshot of the AVG detection with "see details" page and also let us know the version of your Mac and AVG to proceed further.
You can post the screenshot here on your topic. Click on 'Answer' & then click on the 'Image' [mountain symbol] & follow the instructions.
I'm using Chrome to test, when I have both my firewall decryption and AVG Web Shield decryption, AVG reports that the SSL connection is untrusted (the firewall's root CA is not known to the AVG certificate store).
macOS Mojave 10.14.2
AVG AntiVirus 18.6 (07d9fcd7a8ed)
Chrome 71.0.3578.98 (Official Build) (64-bit)
Palo Alto Networks Firewall running PAN-OS 8.1.5 with SSL Forward Proxy decryption (self signed root CA certificate).
Just to reiterate. The goal is to get the Firewall's self signed root CA certificate to be trusted by AVG Web Shield, so we need to figure out how to import a certificate to be trusted by AVG.
Are you facing this issue only with Chrome browser? Firstly, it is necessary to obtain a copy of the certificate.
This can be found with Keychain Access with Keychain "login" and category "Certificates". Search for "avg". You should find "AVG trusted CA". Select it and export it from the menu bar under "File" then "Export Items...". Save it somewhere accessible.
Next, the certificate needs to be added to your browser certificate manager.
Open Settings on browser > Privacy & Security tab. Scroll down to Security > Certificates. Open "View Certificates...". Click on "Authorities" then "Import...". Import "AVG trusted CA" and trust it to "identify websites". You can select "identify mail users" if you want.
Ranjani,
Thank you for trying to answer the question but this is not your typical cookie cutter scenario, and your suggestion won't resolve the issue.
The AVG trusted CA certificate is already in Keychain.
My firewall's trusted CA certificate is also already in Keychain.
The Keychain certificate store is used by Chrome or Safari, but not by AVG. AVG uses its own private certificate store, and it is *there* where we need to install the firewall's self-signed root CA certificate.
Using the https://bing.com website as example, when AVG Web Shield is on and firewall decryption is turned off, Chrome opens a session with AVG Web Shield since it's running MITM for decryption. AVG Web Shield will impersonate the TSL connection for me and connect to the destination web-server. Since the most popular root CA certifiactes are already in its own private certificate store, AVG trusts the connection and presents Chrome with its 'AVG trusted CA' certificate, which Chrome knows about from Keychain access. So life is good.
However, when firewall decryption is also turned on, you now have a situation with two MITM in the path between Chrome or Safari (web-browser). When you initiate the session, AVG will try to open a TLS connection to https://bing.com, but instead of receiving the certificate from bing.com, it will receive the certificate injected by the firewall (firewall's root CA). Because AVG does not have the firewall root CA in its own certificate store, and AVG will not use Keychain Access certificates, then AVG decides it does not trust this firewall certificate, and pushes its AVG Untrusted certificate back to the web-browser, and that is the problem.
The two possible solutions that you can offer to resolve this issue are:
1. A procedure to manually install self-signed root CA certificates into AVG's Web Shield certificate store.
or
2. Change how AVG Web Gateway works with root CA certificates, so it doesn't have its own dedicated certificate store separate from macOS's, and will instead, share the system's certificate store in Keychain.
In macOS certificates are stored in Keychain Access https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac.
It looks like a conflict with your firewall and our SSL scanning. We recommend you to disable SSL scanning from AVG Webshield settings:
1. Open AVG app
2. in menu bar click on AVG AntiVirus > Preferences > Shields > Webshield
3. click on lock icon to be able edit the settings
4. uncheck "Scan browser-based HTTPS connections"