The SSL Visibility Appliance verifies the validity of server certificate chains before resigning them. This validation process can be used in policy to resign invalid certificates with a CA that clients do not trust, which allows the appliance to decrypt the session but preserve the certificate status.
In order to validate a server certificate chain, the SSL Visibility Appliance must be able to completely rebuild the chain from the server certificate to the root CA. To rebuild the chain, the appliance must be able to access all certificates in the chain as follows:
- The endpoint server certificate will always be on the wire.
- Any intermediate CAs must either be sent by the server on the wire along with the server certificate, or must be found in the external CA store.
- The root CA must be in the SSL Visibility Appliance external CA store.