Safari can't establish a secure connection to XG Firewall - Chrome/FF OK

Question

Hi all 
 Suddenly I am not able to connect to my Sophos firewall running XG 16.5 from Safari anymore. I am running macOS 10.12.3. Safari shows the warning "Safari can't establish a secure connection to the server <FQDN-of-Firewall>". Since last autumn, the firewall is using a certificate signed by CAcert for web authentication. The certificate store of the OS trusts all needed CAs from CAcert. 
 Firefox 51.0.1 connects w/o problems. After deleting the HSTS history for the FQDN in Chrome also this browser works again. Deleting the HSTS.plist file for Safari did not make a difference - I am still unable to connect. 
 Does anyone have a clue why Safari refuses to connect, and if there is a workaround? 
 Thanks for reading and regards, 
 - Maurice

WörnhardIT Administrator · Accepted Answer

Hi lferra 
 Your post together with this blog entry helped me solve the problem. I did not find any way to view in Safari what certificate was returned to the client. In Chrome I had to use Developer Tools, and this allowed me to solve the problem. 
 To recap: I have two valid certificates in the appliance, one self-signed (Self-Signed CA) and one from another CA where I had to upload the CA root cert to the appliance (ExtCA root). I was unable to connect from Safari with any of them, Chrome worked with the Self-Signed CA. Checking the System Keychain on my macOS system, the Self-Signed CA was not present, and the ExtCA root was not trusted. After importing the Self-Signed CA and setting both CAs to "Trust", I was again able to connect via Safari. 
 - Maurice