SSL Scanner

Using this section, you can configure actions for content with certificates issued by known Certificate Authorities (CAs) that are either trusted or untrusted, as well as for unknown Certificate Authorities.

A vendor, having signed content by issuing a certificate, may request a CA to issue a certificate to sign this vendor certificate. This CA may itself have been signed by another CA, issuing certificates on a higher level. Together, these certificates form a certificate chain, which is inspected in a verification process. The CA that signed a certificate located on a lower level of the certificate chain is also called the root CA.

The verification process begins by checking the CA that immediately signed the vendor certificate. It may be known, i. e., be included in the list of known CAs. If the CA is unknown, the verification process checks the CA on the next level and goes on to do so, until a known CA is found, or all CAs in the certificate chain have proven to be unknown. Usually, there are no more than three levels to a certificate chain.

The first known CA to be found in the verification process is then checked as to whether it is trusted or untrusted. To be trusted, a CA must be included in the list of trusted CAs.

The list of trusted CAs is configured in the Trusted Certificate Authorities section, which is also provided on this tab.

To edit the list of known CAs, use the Known Certificate Authorities link, which is located at the top of this tab, to go to the tab provided for this purpose.

When configuring actions for trusted CAs, remember that you have to select actions that include a Log Incident part, e. g. Block & Log Incident, if you

want to have incidents related to these CAs listed by the incident manager.

After specifying the appropriate settings here, click on Apply Changes to make them effective.

Use the drop-down lists provided here to configure actions for the following situations:

First known CA is trusted

Select an action here that should be taken if the first known CA is trusted.

First known CA is untrusted

Select an action here that should be taken if the first known CA is untrusted.

Only unknow CAs found

Select an action here that should be taken if only unknown CAs have been found.

4–19