Bypassing certificate verification

The cloud service verifies certificates for HTTPS sites that it has decrypted and analyzed. Certificate verification is enabled by default on the SSL tab of the Bypass Settings page, and happens automatically in one of the following cases:

  • SSL decryption has been enabled for web categories (see Web Categories tab).
  • You have enabled notification pages to be served for HTTPS sites (see HTTPS notifications)
  • You are using secure form-based authentication (see Access Control tab).
  • You have configured end user single sign-on functionality.
  • You have deployed an I Series appliance and enabled any of the authentication methods available in the policy.

Certificate verification checks are numerous and apply to all certificates in the trust chain. For example:

  • The certificate must be issued by a trusted Certificate Authority (CA). For a list of supported CAs, see the Knowledge Base article What are the trusted Certificate Authorities?
  • The certificate must be current (within its “Valid from...to...” date range).
  • The certificate must not be on a revocation list (either CRL or OCSP).

To choose whether or not to use certificate verification, in the Certificate Verification Bypass section on the SSL tab, set Perform certificate verification to On or Off.

Important: We strongly recommend that you verify certificates for HTTPS sites. If you switch this option off, there is a chance of increased security risks from malicious sites with certificates that misrepresent their identity (for example, a site called gogle.com pretending to be Google).

If certificate verification fails, the end user sees an error page and cannot access the website unless you allow them to access sites with certificate errors by marking Allow end users to bypass all certificate errors. In this case, end users see a notification page informing them that a certificate error has been detected, and have the option to either proceed to the site or go back. This notification page is not available for I Series appliances.

If you choose to perform certificate verification, you can maintain a list of domains and IP addresses for which the cloud service bypasses certificate verification errors. This enables end users to visit a site even if the certificate is invalid. You may want to do this for sites that you trust even if, for example, the certificate has expired, is not yet valid, or is self-signed.

You can manage domains and IP addresses for bypass as follows:

  • To add items for certificate verification bypass, enter one or more domain names or IP addresses separated by commas, then click Add. IP addresses can also include the port number (for example 127.0.0.1:80). You cannot add IP address ranges.
  • To delete a domain name or IP address from the bypass list, select the item and click Delete. You can use the Ctrl and/or Shift keys to select multiple items for deletion.

Click Save when done.