ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Test Server Certificate Validation rules in the VPM

book

Article ID: 172409

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

The purpose of this article is to provide a way to test the rules that use the "Server Certificate Validation" action.

A certificate is considered invalid when at least one of the following occurs:

  • Common Name Mismatch / Wrong Host: When the SNI in the request does not match the Common Name included in the certificate or the SNI is not present as part of the SAN extension.
  • Untrusted Issuer: When the certificate that the client receives or its issuer is not installed within the trusted certification authorities container in the browser.
  • Expired Certificate: When the time limit (set when the certificate is created) is surpassed

Resolution

The following sites offer us the possibility to test each of the given options in a safe manner:

Common Name Mismatch / Wrong Host:

https://wrong.host.badssl.com/

Untrusted Issuer:

https://untrusted-root.badssl.com/

Expired Certificate:

https://expired.badssl.com/