CloudSWG TLS/SSL Intermediate CA Replacement

Broadcom will begin deploying an updated certificate chain of trust for TLS/SSL Interception starting in Q2 2026. A new certificate chain of trust is needed because one of the Intermediate CAs is being replaced, with a hard deadline of June 12, 2026.

The current Intermediate CA Cloud Services CA - G2 is being replaced with a new intermediate CA Cloud Services CA - G3

Note: The root CA, Cloud Services Root CA, is not changing.

Impact

This change has no impact on endpoints and other devices that follow our recommended guidelines. Because the new intermediate CA is issued by the existing root CA (Cloud Services Root CA), the chain of trust is unchanged for TLS/SSL decryption. No configuration changes are required for devices that already have the root CA installed.

For details, see:https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/about_ssl_co/ssl_certs.html

Required Action

No action is needed if TLS/SSL inspection is functioning normally.

To review recommendations on installing the root CA for different connectivity methods:

1. WSS Agent: The agent installation automatically installs the root CA
2. Proxy forwarding: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/conn-matrix/conn-about-proxyforward/conn-prxyfwd-symapp.html
3. IPSec/Explicit Proxy/Others: https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/cloud-swg/help/about_ssl_co/ssl_certs.html

   Support

   Questions? Contact technical support by visiting: https://support.broadcom.com/web/ecx/software-contact-support

   For service status and maintenance updates visit and subscribe to Broadcom Service Status: https://status.broadcom.com