Configuring Certificate Validation

Often, end users have little knowledge about the reliability of a certificate authority, so they will often accept certificate authorities without knowing if they are from trusted sources. To overcome this problem, the Web Appliance includes most of the reliable certificate authorities, and it can automatically validate certificate authorities from the Sophos certificate authority list. There is also the ability to add custom certificate authorities. This allows you to deny users the ability to accept certificate authorities.

The Configuration > Global Policy > Certificate Validation page allows you to control the HTTPS (SSL) certificate validation process. Sophos provides a list of certificates from recognized third-party certificate authorities that are automatically accepted. Also, you can add certificates from other sources that you want to be accepted. If Certificate Validation is enabled, your users will only be able to access HTTPS sites that use a certificate listed in the Sophos certificate list or the Custom certificate list. If your users attempt to access HTTPS sites that use certificates from sources that are not in these lists, the Invalid certificate page is displayed and access to the requested site is blocked.

  • To enable or disable automatic certificate validation, beside Certificate Validation, either click On to enable it, or click Off to disable it, and click Apply.

    Automatic certificate validation is based on both the Sophos and Custom lists.

    Important
    When HTTPS scanning is enabled, certificate validation is also automatically enabled. If you want certificate validation disabled while HTTPS scanning is enabled, you must disable it on this page, but be aware of the risks of doing so. Having certificate validation enabled is advised as HTTPS scanning replaces the actual certificate from the site, so it may be harder for users to identify phishing sites in their browser. Certificate validation ensures that such sites are not accessed.
  • To add a certificate from a website to the custom certificate list, see "Adding a Certificate from a Web Site".
  • To add a certificate authority to the custom certificate list, see "Adding a Root Authority Certificate".
  • To remove a certificate from the custom certificate list, select the check box to the right of the certificate in the custom certificate list that you want to remove, click Delete, and then click Apply.
  • To view Sophos root authorities, at the bottom of the custom certificates list, click View Sophos root authorities, and browse the list of the root certificate authorities supplied by Sophos in the Root Authorities pop-up dialog box.