Blocking sites with untrusted certificates
A site should present a certificateA digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. that is issued by an authority that is considered trusted. Use this option to block sites that do not present trusted certificates.
Blocking sites with revoked certificates
Select this check box to block access to any site using a certificate that has been revoked by its issuing authority.
Blocking sites with expired or wrong purpose certificates
You can use this option to block access to sites with certificate-chains that include an expired certificate. Blocking is effective even if it is a trusted CA certificate that has expired. You can also block sites with wrong purpose certificates.
A 'wrong purpose' certificate refers to the situation where the Key Usage (KU) and Extended Key Usage (EKU) properties of a certificate CA and server do not match certain conditions as expected.
Show me.
Verification policy varies according to the certificate that you are verifying, and the presence (or absence) of a key usage property within that certificate. The following tables describe the key usage verification policy for different certificate types:
Verification policy for Key Usage (KU):
| Certificate | if KU is absent | if KU is present |
|---|---|---|
| CA (certificate authority) | Allow | Block, if without 'Certificate Sign' |
| Server | Allow |
Block, if without 'Digital Signature' Block, if without 'Certificate Sign' |
Verification policy for Extended Key Usage (EKU):
| Certificate | if EKU is absent | if EKU is present |
|---|---|---|
| CA (certificate authority) | Allow | Allow |
| Server | Allow |
Block, if without 'TLS Web Server Authentication' |
Blocking sites with certificates that do not match the URL
A site might present a certificate in which the Subject Alternative Name (SAN) does not match the hostname of the site. Use this option to block sites with certificates that do not match the URL. If there is no SAN, this check is performed against the CN component of the certificate.
-
Allow matching against wildcards in certificates
This option covers the case where wildcards are used in the Subject Alternative Name (SAN) or Common Name (CN) in a certificate. If you select this check box *.my.domain (SAN) will match with in.my.domain (hostname). If you select this check box, it will include any valid matches in the action selected for sites with certificates that do not match the URL.
Wildcards can only match one hostname. For example, if the certificate SAN specifies: *.my.domain, it will not match home.in.my.domain.
Allowing users to temporarily override blocking of sites with certificate failures
This option enables users to visit site anyway when they encounter a block page that is the result of a certificate failure. You can specify the amount of time to override the verification checks on a site, using the Cache override... option.