Configure the Certificate Verification settings

Provide a list of certificate authorities that you trust and configure how you want Skyhigh Security WGCS to check for and handle missing and revoked certificates.

1. Go to Policy > Web Policy > Feature Configuration.

2. From the Feature Config list, select Certificate Verification > Default TLS Certificate Chain Settings.

3. From the Actions drop-down list, select Clone and Edit.

4. Provide a name for the feature configuration and an optional comment.

5. Select a Revocation checking method order to use when checking for revoked certificates:

   • OCSP, CRL. Use the Online Certificate Status Protocol first, then use the Certificate Revocation List method.

   • CRL, OCSP. Use the Certificate Revocation List method first, then use the Online Certificate Status Protocol.

6. Select Treat OCSP response 'unknown' as revoked to treat certificates whose OCSP status is unknown as revoked.

7. Select Automatic download of missing certificates (via AIA) to allow WGCS to rebuild certificate chains having missing intermediate certificates by using the Authority Information Access (AIA) SSL extension.

8. To upload CA certificates, click Add CA. Locate and select the CA certificate, then click Open. Optionally configure these fields:

   • OCSP responder URI • Trusted

   • Certificate revocation list URI

   • Customized Certificate Nam 

9. Click Save.

10. Next, choose to  edit certificates in the list or delete them from the list:

    • Edit a certificate in the list — Click the menu icon in-line with the certificate, then select Edit from the drop-down list.

    • Delete a certificate from the list — Click the menu icon in-line with the certificate, then select Delete from the drop-down list.

11. Click Save. The named Certificate Verification configuration is saved locally.

You can publish locally saved changes to the cloud now or keep working and publish later.