Cut-through rule option to ignore Certificate Status


Article ID: 176095


Updated On:


SSL Visibility Appliance Software


The SSLv release contains the following new feature: Ignore Certificate Status - Allows untrusted certificate informations to be used for policy decisions. (Only applicable to Cut Through)



To override the default behavior by selecting the Ignore Certificate Status check box (located in the SSL tab when inserting or editing a Cut Through rule). When this option is selected, the rule will ignore server certificate status when determining if the certificate matches the criteria specified in the rule. SSL Visibility will ignore all certificate statuses including: self-signed, invalid-issuer, incomplete-chain, invalid signature, invalidpurpose, unsupported-extension, crl-error, weak-key, and revoked. Since this option is only present on Cut Through rules, the original certificate status will be presented to the client on the cut connection giving the client the ability to make a final determination on how to proceed given the status of the certificate.

Caution: Although the option Ignore Certificate Status is available to override the default behavior, enabling the option is not recommended. The preferred method is through management of certificates and certificate authorities in the PKI store. Refer to the guidelines below:

If you want to trust an untrusted certificate, proceed carefully. Here are some guidelines:
- Generally, it is not recommended to add the untrusted CA that issued the certificate as a trusted CA on SSL Visibility, as this will cause all server certificates issued by this CA be trusted rather than just a single server certificate. This could be a valid approach if you want to trust all server certificates issued by your enterprise root CA, however. A better approach would be to apply to have your enterprise root CA publicly trusted.

- You could add the explicit server certificate as a trusted certificate to SSL Visibility. This will allow the traffic for that explicit destination to be cut through. Any other server certificate that has the same CN will be different in terms of its signature, i.e. it has different keys, serial number, etc. so it will not match the server certificate you have added as trusted, and so will be untrusted.

- You could add a Cut Through rule based on destination IP address. This will work, but may be more difficult to maintain, especially for a distributed server configuration that may present many IP addresses