Configure the Certificate Verification settings
Provide a list of certificate authorities that you trust and configure how you want Skyhigh Security WGCS to check for and handle missing and revoked certificates.
To configure Certificate Verification settings:
-
Go to Policy > Web Policy > Feature Configuration.
-
From the Feature Config list, select Certificate Verification > Default TLS Certificate Chain Settings.
-
From the Actions drop-down list, select Clone and Edit.
-
Provide a name for the feature configuration and an optional comment.
-
Select a Revocation checking method order to use when checking for revoked certificates:
-
OCSP, CRL. Use the Online Certificate Status Protocol first, then use the Certificate Revocation List method.
-
CRL, OCSP. Use the Certificate Revocation List method first, then use the Online Certificate Status Protocol.
-
-
Select Treat OCSP response 'unknown' as revoked to treat certificates whose OCSP status is unknown as revoked.
-
Select Automatic download of missing certificates (via AIA) to allow WGCS to rebuild certificate chains having missing intermediate certificates by using the Authority Information Access (AIA) SSL extension.
-
To upload CA certificates, click Add CA. Locate and select the CA certificate, then click Open. Optionally configure these fields:
-
OCSP responder URI • Trusted
-
Certificate revocation list URI
-
Customized Certificate Nam
-
-
Click Save.
-
Next, choose to edit certificates in the list or delete them from the list:
-
Edit a certificate in the list — Click the menu icon in-line with the certificate, then select Edit from the drop-down list.
-
Delete a certificate from the list — Click the menu icon in-line with the certificate, then select Delete from the drop-down list.
-
-
Click Save. The named Certificate Verification configuration is saved locally.
You can publish locally saved changes to the cloud now or keep working and publish later.