Working With Encrypted Data > Validating certificates
|
1.
|
Go to Configure > SSL > Validation > General.
|
2.
|
Enable the certificate verification engine: This option enables and disables the certificate verification engine.
|
3.
|
Deny certificates where the common name does not match the URL: When enabled, two checks are made:
|
4.
|
Allow wildcard certificates: This is a sub-option of When Deny Certificates where the common name does not match the URL. When enabled, this option allows matches with Common Names that include the "*" (wildcard) character in the name.
|
5.
|
No expired or not yet valid certificates: When enabled, denies access to sites that offer an expired or not yet valid certificate. This is a basic check that is important because many malicious sites operate with expired certificates. If this option is not selected, access to those sites is permitted.
|
6.
|
Verify entire certificate chain: When enabled, verifies expiration and revocation status of all certificates between the site certificate and the root Certificate Authority as specified in the certification path of the certificate. This is an important check.
|
7.
|
Check certificate revocation by CRL: Certificate revocation lists (CRLs) are used to check a certificate's revocation status. CRLs list certificates that have been issued and subsequently revoked by the CA.
|
8.
|
Check certificate revocation by OCSP: Online Certificate Status Protocol (OCSP) is an alternate way to check a certificate's revocation status. While OCSP is beneficial, it is not used as widely as CRLs and therefore is not as reliable. Also, it is a real-time, Internet-hosted check that can introduce some request handling latency.
|
It is recommended that you use OCSP in addition to, rather than instead of, CRLs. See Keeping revocation information up to date for more information on CRLs and OCSP.
|
9.
|
Block certificates with Unknown OCSP state: When OCSP revocation checking is enabled, enable this option to block certificates that return the "Unknown" status.
|
10.
|
Preferred method for revocation check: When both CRL and OCSP revocation checking are enabled, use this option to indicate which method to apply first. The default is CRL.
|
11.
|
Block certificates with no CRL URI and with no OCSP URI: When CRL checking, OCSP checking, or both are enabled, use this option to block certificates that do not have the expected, associated URIs. For example, if only CRL checking is enabled and the certificate doesn't have a CRL URI, if this option is enabled the connection is blocked. When both CRL and OCSP checking are enabled, the block occurs only if both CRL and OCSP lack a URI.
|
Working With Encrypted Data > Validating certificates
|