Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
256
Views
0
Helpful
0
Replies

CSCvj47877 - WSA - Exception for specific server certificate - Trust a server but not its CA in general

forschungsgruppe
Level 1
Level 1

‎05-17-2018 04:27 AM - edited ‎03-20-2019 10:09 PM

Here some additional background information as a summary

==============================================

 

Problem: "Exceptions for particular server certificates not possible"

---------------------------------------------------------

One of our partners has a HTTPs server secured with a server certificate issued by a public CA stated as weak. Since we were able to check validity by other means (finger print etc.), we want to trust this particular server certificate, but not the weak CA in total.

 

Most popular browsers like eg. Firefox offer the possibility to simply add an exception to achieve this. Microsoft Windows offers a certificate store for trusted server certificates besides the store for trusted CAs as well. So this is a very common functionality, that is still missing on WSA/ESA.

 

Workaround: "not possible"

-----------------------

As a workaround, setting the option for invalid certificate from drop to monitor for this site (the site served by this particular server), is not an option, because it breaks security concepts totally.
Eg.: If the server is hacked and the certificate is replaced by another certificate (of the broken CA or any other). This will be detected when setting an exception, because we do not trust the other certificate nor the broken CA. Setting the "monitor" option for invalid certificates for this site will not detect the replacement of the certificate and will not prevent eg. a man-in-the-middle-attack. The only clean way is to set an exception.

 

Solution: "Server Certificate List"

----------------------------

Please implement a trusted/distrusted server certificate list beside the trusted root certificate list to deal with exceptions to single server certificates, that gives the possibility to trust particular server certificates of generally distrusted CAs and distrust particular server certificates of generally trusted CAs.


Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents