HTTPS Certificate Verification

You can enable the Gateway to check HTTPS certificates automatically. The verification includes checks for revoked, untrusted, expired, or otherwise invalid certificates.

Navigate to the HTTPS Policy page and find the Certificate Verification section. Click Click here to change these settings.

Tell me about...

• Blocking sites with untrusted certificates

  A site should present a certificateA digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. that is issued by an authority that is considered trusted. Use this option to block sites that do not present trusted certificates.

• Blocking sites with revoked certificates

  Select this check box to block access to any site using a certificate that has been revoked by its issuing authority.

• Blocking sites with expired or wrong purpose certificates

  You can use this option to block access to sites with certificate-chains that include an expired certificate. Blocking is effective even if it is a trusted CA certificate that has expired. You can also block sites with wrong purpose certificates.

  A 'wrong purpose' certificate refers to the situation where the Key Usage (KU) and Extended Key Usage (EKU) properties of a certificate CA and server do not match certain conditions as expected.

  Show me.

  Verification policy varies according to the certificate that you are verifying, and the presence (or absence) of a key usage property within that certificate. The following tables describe the key usage verification policy for different certificate types:

   

  Verification policy for Key Usage (KU):

  Certificate	if KU is absent	if KU is present
  CA (certificate authority)	Allow	Block, if without 'Certificate Sign'
  Server	Allow	Block, if without 'Digital Signature' Block, if without 'Certificate Sign'

  Verification policy for Extended Key Usage (EKU):

  Certificate	if EKU is absent	if EKU is present
  CA (certificate authority)	Allow	Allow
  Server	Allow	Block, if without 'TLS Web Server Authentication'

• Blocking sites with certificates that do not match the URL

  A site might present a certificate in which the Subject Alternative Name (SAN) does not match the hostname of the site. Use this option to block sites with certificates that do not match the URL. If there is no SAN, this check is performed against the CN component of the certificate.

  • Allow matching against wildcards in certificates

    This option covers the case where wildcards are used in the Subject Alternative Name (SAN) or Common Name (CN) in a certificate. If you select this check box *.my.domain (SAN) will match with in.my.domain (hostname). If you select this check box, it will include any valid matches in the action selected for sites with certificates that do not match the URL.

    Wildcards can only match one hostname. For example, if the certificate SAN specifies: *.my.domain, it will not match home.in.my.domain.

• Allowing users to temporarily override blocking of sites with certificate failures

  This option enables users to visit site anyway when they encounter a block page that is the result of a certificate failure. You can specify the amount of time to override the verification checks on a site, using the Cache override... option.

See also...

• Apply the new configuration