Fine-tune Invalid Certificate Detection on Secure Connections
Provide a list of certificate authorities that you trust and configure how you want the certificate verification feature to check for and handle missing and revoked certificates.
- In Skyhigh CASB, select Policy > Web Policy > Feature Configuration.
- From the Feature Config list, select Certificate Verification > Default TLS Certificate Chain Settings.
- From the Actions drop-down list, select Clone and Edit.
- Provide a name for the feature configuration and an optional comment.
- Select a Revocation checking method order to use when checking for revoked certificates:
- OCSP, CRL — Use the Online Certificate Status Protocol first, then use the Certificate Revocation List method.
- CRL, OCSP — Use the Certificate Revocation List method first, then use the Online Certificate Status Protocol.
- Select Treat OCSP response 'unknown' as revoked to treat certificates whose OCSP status is unknown as revoked.
- Select Automatic download of missing certificates (via AIA) to allow the certificate verification feature to rebuild certificate chains that have missing intermediate certificates by using the Authority Information Access (AIA) SSL extension.
- To upload CA certificates:
- Click Add CA.
- Locate and select the CA certificate, then click Open.
- Optionally configure these fields:
- Customized Certificate Name
- Certificate revocation list URI
- OCSP responder URI
- Click Save.
- You can edit certificates in the list or delete them from the list:
- Edit a certificate in the list — Click the menu icon in-line with the certificate, then select Edit from the drop-down list.
- Delete a certificate from the list — Click the menu icon in-line with the certificate, then select Delete from the drop-down list.
- Click Save.
The named Certificate Verification configuration is saved.
You can publish saved changes to the cloud now or keep working and publish later.