Open with table of contents

HTTPS Certificate Verification

HTTPS policy settings enable the Gateway to automatically perform site certificateA digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. checking thereby removing the burden of responsibility from end users who may unknowingly accept bogus or invalid certificates. The administrator can define the policy relating to the certificate checks applied which includes checking for the common name, expiration date, revocation status, and the issuer.

To specify the certificate verification settings:

1. Select or clear the check box next to the Certificate Chain Verification option. This option enables the examination of the complete Certificate Authority Chain.
2. Select or clear the check box next to the Check certificate revocation using and select one of the following options:

• Certificate Revocation Lists (CRL) to enable the examination of a certificate's revocation state using Certificate Revocation Lists (CRL).
• Online Certificate Status Protocol (OCSP) to enable the examination of a certificate's revocation state using the Online Certificate Status Protocol (OCSP).
• Certificate Revocation Lists (CRL) followed by Online Certificate Status Protocol (OCSP). If both methods are supported by the Certificate Authority, this setting defines the order in which they should be used.
• Online Certificate Status Protocol (OCSP) followed by Certificate Revocation Lists (CRL). If both methods are supported by the Certificate Authority, this setting defines the order in which they should be used.

3. Select or clear the check box next to the Block certificates with no CRL or with an unknown OCSP state option. If enabled, access will be denied to web sites with certificates whose revocation state cannot be determined or which do not supply Certificate Revocation Lists (CRL) or Online certificate Status Protocol (OCSP) retrieval information.
4. Select or clear the check box next to the Block expired or wrong purpose certificates option. This option enables the examination of the certificate presented by the web server for expiration date and purpose of use. Connection is denied if the certificate has expired or the certificate was not issued for the purpose of authentication of a web server.
5. Select or clear the check box next to the Block certificates whose Common Name does not match the URL option. To guarantee the identity of a remote server, the Common Name in a certificate must exactly match the URL of the web server.
   If enabled, select or clear the check box next to the Allow wildcard certificates option to allow certificates where the Common Name begins with the * wildcard. This certificate can be used to authenticate all servers for a particular domain.
6. Select or clear the check box next to the Allow access to sites with certification failures option. This option enables the user to visit a site with an invalid certificate.
   If enabled, select or clear the check box next to the Cache bypassed certificates for up to option and enter the Timeout to specify when  the user will be informed that this certificate is invalid.
7. Click Save.
8. Apply the configuration.

See also...

• Apply the new configuration