* Certs and Web Appliance

www.ctspurchasing.com uses a certficate signed by Network Solutions Certificate Authority.  When Certificate Validation is turned on, we validate the issuer of the certificates used by the secured sites.  Unfortunately, Network Solutions Certificate Authority is not in our system yet.  Therefore, the certificate used by www.ctspurchasing.com fails the Certificate Validation.

We expect customers may run into this situation, so we provide two ways to workaround it.  The first method is what you said.  You can add the certificate used by the secured site.

The second method is to upload the certificate(s) required to validate the certificate used by the secured site.  For www.ctspurchasing.com, here are the steps:

1) Start Google Chrome on a linux computer
2) Set Google Chrome to connect directly to the Internet
3) Browse to https://www.ctspurchasing.com
4) Once loaded, click on the yellow lock icon at the end of the address bar
5) In the Security Information window, click Certificate Information
6) In the Certificate Viewer window, select the Details tab
7) In the Certificate Hierachy area, select Network Solutions Certificate Authority and click Export
8) In the Save File window, select Base64-encoded ASCII, single certificate, enter a file name and save the file.
9) Go to our Administration Web Interface > Configuration > Global Policy > Certificate Validation page.
10) Under the Add root authority certificate area, click Browse, select the file exported in step 8, and click Add.

Now, https://www.ctspurchasing.com will not fail the Certificate Validation check.

I have created item to include Network Solutions Certificate Authority in our system.  The reference number is SUG60980.  When this issue is addressed, it will be documented in Help > Release Notes.

Ok, so it's not that the appliance didn't like the Star cert, it's that it didn't like the root authority that issued it?

If I may make a suggestion for usability, could there be some way for the appliance to call that out at some point?  Like when you put the site name in and click "download" on the cert on the "Certificate Validation" page, maybe some big red letters near "Issued by" that say "Not trusted".  Heck, make it even easier with a "Trust" button next to the big red warning?  :smileyhappy:

I'll check that now, but I just assumed the appliance started with approximately the same root trusts as my web browser so I wasn't looking at the issuing authority - just the dates and that the issued to matched the site name.

Thanks

Jason

> Ok, so it's not that the appliance didn't like the Star cert, it's that it didn't like the root authority that issued it?

Yes, you are correct.

> If I may make a suggestion for usability, could there be some way for the appliance to call that out at some point?  Like when you put the site name in and click "download" on the cert on the "Certificate Validation" page, maybe some big red letters near "Issued by" that say "Not trusted"

I will speak to the product management about how to improve our Certificate Validation feature.  Thank you for your input.

Ok, one last question because things are not working as I expected.  i'm able to add certs and that is fine.  But, as I understand how certificates should work:

Lets say Verisign has a root cert named "Verisign root cert" that is trusted.  "Verisign root cert" issues "Verisign intermediate cert 1" through "Verisign intermediate cert 5".  "Verisign intermediate cert 3" issues a cert to "Bob's garage software".

Shouldn't I be able to go to https://bobsgaragesoftware.com without explicitly trusting "Verisign Intermediate cert 3", just by trusting "Verisign root cert"?  Because that does not seem to be the behavior i'm experiencing with the appliance. 

It seems I'm having to download and add a lot of intermediate certs.  And that seems to be against the point of trusting root certs.

When a root certificate authority (CA) is known to the system, we trust the certificates used by secured sites that are signed by that root CA.

However, when intermediate CA’’’’s are involved, we want to be able to validate them as well, because we do not know whether, or not, these intermediate CAs can be trusted – Often, the intermediate CA’’’’s are not the same company as the root CA.  If you have a longer chain (root signs inter1, inter1 signs inter2, inter2 signs the end certificate), then the potential risk increases.

So to be cautious about it, we require the intermediate CA’’’’s to validate the certificates used by secured sites (if they are signed by a chain).

If you find us missing intermediate CA’’’’s, then please contact us in the Administration Web Interface > Help > Sophos Support.  We will gladly investigate and include legitimate intermediate CA’’’’s in our system.  Thank you.

Along this same subject, how come a site will be untrusted on a users computer, but the same site on my computer will be trusted?

We all have the same sophos certificate, are all on the same network, and are using the same policies.

Hi,

When you say 'not trusted', do you mean that the browser gives you a certificate error?

If you're using HTTPS scanning the cert of the website will be replaced with a certificate generated by the Web Appliance.  So, aslong as the browser trusts the web appliance as a root authority it should work fine.  See this KBA:

http://www.sophos.com/en-us/support/knowledgebase/42153.aspx

On the other hand, if you don't use HTTPS scanning, the certificate won't be replaced at all.  Whether the certificate is trusted or not will depend on the browser (eg. maybe one of the browsers doesn't have the intermediate installed?).

You can usually view the certificate in your browser to get more information about who issued it and why the browser is complaining.

-Tom.